How to restrict ajax?

M

MADm2014-11-10 10:09:11

ASP.NET

MADm, 2014-11-10 10:09:11

We have a page that responds to ajax. Made like a regular aspx page in which the session is checked and a response is given. Approximately like this.

public partial class GetChatMessages : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            SessionHelper.LoggedInOrRedirect();
            SessionHelper.AllowedRequestOrThrow();

            Response.ContentType = "application/json";
            Response.ContentEncoding = System.Text.Encoding.UTF8;

            Response.Write(getResponse());
}

The problem is that this page responds to a request from any domain, provided that we have a session on the server. That is, we open our site in 1 tab in another absolutely left one and from the left we make an ajax request to our site. Cookies are given and the session is confirmed and the left site receives our private data from ajax and does whatever it wants with it. How to limit this behavior? do not give anything to the left domain.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

Y

YemSalat, 2014-11-10
@YemSalat

If you can do this, then it is specially configured this way, by default cross-domain requests are prohibited.

T

Terminaft, 2014-11-10
@Terminaft

Have you tested this in practice? By default, cross-domain requests for js are prohibited, they can only be made if your server sends headers that allow them