1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

As Designed JSON Requests

Discussion in 'Resolved Bug Reports' started by Daniel Hood, Oct 23, 2013.

  1. Daniel Hood

    Daniel Hood Well-Known Member

    Not really sure if this is a bug or if there's a reason behind it but when you go to
    http://xenforo.com/community/?_xfResponseType=json and you're logged in, it'll say security error. If you're logged out (open it in an incognito window if you're on chrome) you get all the data. Seems a little weird.
     
  2. whynot

    whynot Well-Known Member

    Are you using IE 11 ?
     
  3. Rigel Kentaurus

    Rigel Kentaurus Well-Known Member

    Not really a bug, it is asking for the _xfToken

    That is intended to prevent cross-domain forgery, that way I cannot just setup a page to do a "post" request to XenForo.com while you are browsing my site which will indirectly (and without your knowledge) trigger an action

    That check is not done for guests, because they don't need it
     
  4. Daniel Hood

    Daniel Hood Well-Known Member

    I understand why it says security error, I guess I just don't understand why it outputs all the data for guests though. I realize it doesn't hurt anything, just find it odd.
     
  5. Jeremy P

    Jeremy P Well-Known Member

    Guests, having no session, aren't in danger of CSRF attacks so there's not a security issue.
     
  6. Daniel Hood

    Daniel Hood Well-Known Member

    Fair enough.
     

Share This Page