..
When the user has JavaScript enabled, the do_ajax_submit( ) function is called and the
standard form post is canceled. Typically, that function will serialize the parameters,
send them to the server, and perform some other action. With Rails??™ respond_to
methods, you can actually use the same actions for both standard HTML and Java-
Script responses, differentiated by the HTTP Accept header.
There is no specific security guidance here, except to review your code and be sure
that an attacker cannot bypass your security by using your non-AJAX methods rather
than your AJAX ones. Typically, the AJAX methods are the flashiest, best supported,
and best tested. They get the most attention, but it is just as important to pay
attention to the non-AJAX interfaces.
Avoid Security Through Obscurity
One principle of security is that security through obscurity is no security at all. Security
should be inherent in the system, and not depend on an attacker??™s ignorance of
architecture. This descends from Kerckhoffs??™ principle in cryptography: a system??™s
security should lie only in its key (rather than in the algorithm). This principle can be
paraphrased for web applications: your application should be designed so as to
remain secure even if your source code, architecture, and configuration (with the
obvious exception of passwords and the like) were published for all to see.
Pages:
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211