As designed JSON Requests

[Daniel Hood]

Not really sure if this is a bug or if there's a reason behind it but when you go to
http://xenforo.com/community/?_xfResponseType=json and you're logged in, it'll say security error. If you're logged out (open it in an incognito window if you're on chrome) you get all the data. Seems a little weird.

 

[whynot]

Are you using IE 11 ?

 

[Rigel Kentaurus]

Not really a bug, it is asking for the _xfToken

That is intended to prevent cross-domain forgery, that way I cannot just setup a page to do a "post" request to XenForo.com while you are browsing my site which will indirectly (and without your knowledge) trigger an action

That check is not done for guests, because they don't need it

 

[Daniel Hood]

I understand why it says security error, I guess I just don't understand why it outputs all the data for guests though. I realize it doesn't hurt anything, just find it odd.

 

[Jeremy P]

Guests, having no session, aren't in danger of CSRF attacks so there's not a security issue.

 

[Daniel Hood]

Fair enough.