Ajax in rails is a security violation

Does anybody have any issues with the AJAX code inside rails? Whenever
i
use any sites i have built, or even external sites (such as basecamphq)
my
internal security device blocks access to the Ajax piece with a 400 Bad
Request ( i scoured the net for other ajax examples and no isses
anywhere
else). I think there is something in the AJAX code of rails that is not
implemented correctly. Has anybody else come across this ?

thanks
adam

Adam D. wrote:

Does anybody have any issues with the AJAX code inside rails? Whenever
i use any sites i have built, or even external sites (such as
basecamphq) my internal security device blocks access to the Ajax piece
with a 400 Bad Request ( i scoured the net for other ajax examples and
no isses anywhere else). I think there is something in the AJAX code of
rails that is not implemented correctly. Has anybody else come across
this ?

Nope… What is this internal security device of which you speak?

On 1/4/06, Adam D. [email protected] wrote:

Does anybody have any issues with the AJAX code inside rails? Whenever i
use any sites i have built, or even external sites (such as basecamphq) my
internal security device blocks access to the Ajax piece with a 400 Bad
Request ( i scoured the net for other ajax examples and no isses anywhere
else). I think there is something in the AJAX code of rails that is not
implemented correctly. Has anybody else come across this ?

thanks
adam

Perhaps you could explain what the criteria your ‘internal security
device’ uses to determine if a request is a bad one. AJAX requests
are the same as HTTP requests for the most part. The only thing I can
think of off hand are the custom header that prototype adds. But, I
believe it’s a perfectly valid header extension.


rick
http://techno-weenie.net

why does prototype add custom headers? Is there a way to test it
without those headers?

the device is a spyware/malware proxy by a company called Finjan. It
seems to only block requests for Rails XMLHttp requests, and i am
trying to figure out why. the unique header is definitely one of the
possibilities, is there an easy way to disable this ?

thanks
adam

On 1/4/06, Adam D. [email protected] wrote:

why does prototype add custom headers? Is there a way to test it
without those headers?

the device is a spyware/malware proxy by a company called Finjan. It
seems to only block requests for Rails XMLHttp requests, and i am
trying to figure out why. the unique header is definitely one of the
possibilities, is there an easy way to disable this ?

Look at Ajax.Request.setRequestHeaders(), in prototype.js. It sends
info on the version of prototype that’s being used. One major use is
the fact that I can detect prototype requests in controllers and treat
them differently than normal requests.

Easy way to disable it? Not for other websites unfortunately.


rick
http://techno-weenie.net

On 1/4/06, Adam D. [email protected] wrote:

why does prototype add custom headers? Is there a way to test it
without those headers?

the device is a spyware/malware proxy by a company called Finjan. It
seems to only block requests for Rails XMLHttp requests, and i am
trying to figure out why. the unique header is definitely one of the
possibilities, is there an easy way to disable this ?

Sounds like Finjan is broken.

well i would agree that the device is broken, but every other example of
an
AJAX example works fine with XMLHttp request, only rails AJAX samples
are
broken, which is why i tried to figure out the difference. At this point
it
seems to be the custom headers that may be throwing it off.

thanks
adam

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs