2

so, I have an API for my topsite which I give to my users to put on their pages.

API:

<script type="text/javascript">

 var id = 21;

 $(document).ready(function(){
      $.getJSON("http://topsite.com/index.php?page=vote", { id: id, hasVoted: 'unknown' }, function(data) {
           if(data == 2) {
                window.location.replace("http://topsite.com/index.php?page=vote&id=" + id);
           }
      });
 });

So, basically what I want to do is avoid my customers to put this code on their site:

<script type="text/javascript">$.getJSON("http://topsite.com/index.php?page=vote&id=21");</script>

Because I want the users to get redirected to my site so I can earn some money from ads and even show them some information.

So, I want to know if there is any way to know when an ajax request is being used to access the site, or if there is a way to disable AJAX requests if the hasVoted parameter is set.

Any help is appreciated, thanks!

EDIT: I'll send custom headers when redirecting from site with 'hasVoted' parameter to other page.

QUESTION FOR EDIT: how would I go on about sending custom header with Location? Or am I way off here?

Manuel Fernández
  • 473
  • 5
  • 13

3 Answers3

2

Unofficially, many AJAX libraries add a custom HTTP header called X-Requested-With and set the value to XMLHttpRequest. You can check for that header and see if it's set to that value in which case a good assumption is that it's an AJAX request.

However, there is no standard and if you build an XMLHttpRequest directly (ie, implement your own AJAX code), then there is no real way to tell.

Eli Sand
  • 1,032
  • 7
  • 11
  • I was actually thinking of maybe sending a custom HTTP header when the 'hasVoted' parameter was set. Then on the other page checking if it's set, would that work? – Manuel Fernández Apr 02 '12 at 01:54
  • that would works. Already done that for others purpose (sending different template if request made by a particular ajax request or not) – user978548 Apr 02 '12 at 01:57
  • But note that even this can be faked.. if someone looks at the hasVoted request or looks at the headers.. he can then add it. I think if someone really wants to fake identify to get your data, you'll have hard time trying to avoid it. – user978548 Apr 02 '12 at 02:04
  • I see. Well, I rather make it hard for anyone who wants to do so. By the way, how would I go on about sending custom header with Location? Or am I way off here? Question added to main post. – Manuel Fernández Apr 02 '12 at 02:24
  • May (or not) be of interest: http://stackoverflow.com/questions/3759575/custom-headers-with-ajax-type-jsnop-or-json – user978548 Apr 02 '12 at 02:51
1

Firstly ajax requests won't work cross domain like that. That code wont work for any website apart from topsite.com and it's sub-domains.

However there's nothing stopping anyone from parsing the contents via a server side script. And there's no possible way to completely block people from downloading it (you can make it difficult, but as long as it's publicly available, people can download it)

Ben Rowe
  • 28,406
  • 6
  • 55
  • 75
  • @Manuel, http://jsfiddle.net/HSWTJ/ it's throwing an error for me saying it can't access the domain due to cross-domain policy issues. – Ben Rowe Apr 02 '12 at 01:51
  • http://topsite.com is a dummy domain, not my website since it wasn't really needed for me to post the domain. – Manuel Fernández Apr 02 '12 at 01:53
  • it's not even making the request... the actual domain is irrelevant. domainx.com can't make ajax calls to domainy.com. As I, Eli, and NiftyDude have pointed out, it is locked down by the same origin policy that all modern browsers use. – Ben Rowe Apr 02 '12 at 01:56
  • Enlighten me then how more than 50 sites are using the API and everything is working perfectly fine. – Manuel Fernández Apr 02 '12 at 01:57
  • Actually the 50 sites includes a script, but does not get the user's browser make a http request, no ? – user978548 Apr 02 '12 at 02:00
  • They're either using jsonp, which is to get around the same origin policy or the API is avaialble server-side. There's missing information as to how... I'm not saying it's not possible, but mearly commenting based on the same of code you have provided. If you don't provide all the pieces of the puzzle then I'm not going to assume things on your behalf. – Ben Rowe Apr 02 '12 at 02:02
  • Right; if 50 *sites* (as opposed to users) are using the API, there's almost no doubt that they're getting the data via a normal HTTP request, not via an Ajax call. – Greg Pettit Apr 02 '12 at 02:15
  • @ManuelFernández did you actually try making requests to domains different than the originating request? According to wiki, it won't even work for subdomains http://en.wikipedia.org/wiki/Same_origin_policy#Origin_determination_rules, those APIs can make it using jsonp http://en.wikipedia.org/wiki/JSONP which needs intervention server-side, that's why it's "deemed" safer – Andreas Wong Apr 02 '12 at 02:17
  • I have some server-side code in here. Take a look at my question if you'd like. http://stackoverflow.com/questions/9765219/xmlhttprequest-cross-domain-throws-error – Manuel Fernández Apr 02 '12 at 02:29
  • The policy of not allowing XSS (cross site scripting) is a browser policy in the name of security for the user. You wouldn't want a website making hidden requests on your behalf to all sorts of sites which is why browsers, by default, prevent XSS with AJAX calls. An individual user can disable this security check in their browser however, and there are new proposals on AJAX introducing HTTP headers such as `Access-Control-Allow-Origin` that allow developers of the server-side portion of AJAX to allow XSS. – Eli Sand Apr 02 '12 at 22:46
  • If you're not dealing with a browser however, you can do anything - so any thoughts of protection from XSS are completely out the door... and all someone would need is a server-side component to act like a browser and make the HTTP call remotely, fiddle with it all they want, then serve the result to the client (browser) however they wish. – Eli Sand Apr 02 '12 at 22:47
0

Maybe by checking the user-agent ?

user978548
  • 711
  • 2
  • 7
  • 12
  • And if you do something like (this is crappy..) effectively fetch de data in your page with like an ajax request at DOM-ready or something ? the getJSON don't execute client-JS right ? – user978548 Apr 02 '12 at 01:55