From 2b6af256fa6ca5784911a5a6752fba9d3e6ba232 Mon Sep 17 00:00:00 2001 From: kataras Date: Wed, 2 Aug 2017 20:37:13 +0300 Subject: [PATCH] Fix https://github.com/kataras/iris/issues/703 Former-commit-id: 54afc90ad3f04f7164916e34f692d68118bfa675 --- context/context.go | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/context/context.go b/context/context.go index 36c8baa1..81061d6f 100644 --- a/context/context.go +++ b/context/context.go @@ -282,7 +282,18 @@ type Context interface { GetHeader(name string) string // IsAjax returns true if this request is an 'ajax request'( XMLHttpRequest) // - // Read more at: http://www.w3schools.com/ajax/ + // There is no a 100% way of knowing that a request was made via Ajax. + // You should never trust data coming from the client, they can be easily overcome by spoofing. + // + // Note that "X-Requested-With" Header can be modified by any client(because of "X-"), + // so don't rely on IsAjax for really serious stuff, + // try to find another way of detecting the type(i.e, content type), + // there are many blogs that describe these problems and provide different kind of solutions, + // it's always depending on the application you're building, + // this is the reason why this `IsAjax`` is simple enough for general purpose use. + // + // Read more at: https://developer.mozilla.org/en-US/docs/AJAX + // and https://xhr.spec.whatwg.org/ IsAjax() bool // +------------------------------------------------------------+ @@ -1132,10 +1143,20 @@ func (ctx *context) GetHeader(name string) string { // IsAjax returns true if this request is an 'ajax request'( XMLHttpRequest) // -// Read more at: http://www.w3schools.com/ajax/ +// There is no a 100% way of knowing that a request was made via Ajax. +// You should never trust data coming from the client, they can be easily overcome by spoofing. +// +// Note that "X-Requested-With" Header can be modified by any client(because of "X-"), +// so don't rely on IsAjax for really serious stuff, +// try to find another way of detecting the type(i.e, content type), +// there are many blogs that describe these problems and provide different kind of solutions, +// it's always depending on the application you're building, +// this is the reason why this `IsAjax`` is simple enough for general purpose use. +// +// Read more at: https://developer.mozilla.org/en-US/docs/AJAX +// and https://xhr.spec.whatwg.org/ func (ctx *context) IsAjax() bool { - return ctx.GetHeader("HTTP_X_REQUESTED_WITH") == "XMLHttpRequest" - + return ctx.GetHeader("X-Requested-With") == "XMLHttpRequest" } // +------------------------------------------------------------+