tags:

views:

63

answers:

6
+2  Q: 

Does Ajax inevitably result public API?

I am using AJAX to generate actions on my website. For example, a "search results page" calls Ajax which initiates "/getResults.php". This PHP file returns a JSON with 20 entries that contains the results. The HTML Page calls the callback function and re-builds the DOM with the results from the JSON.

It thus seems inevitable that using Ajax in this form will result public API (just send "/getResults.php" a request with a query and you will get easy to use JSON).

Is there anyway to block these Ajax calls? This is more acute when setting database entries, and not only retrieving.

Thanks,

Joel

A: 

No, a public json api needs to return the json wrapped in a javascript function, known as jsonp. You are fine if you return just a json object.

redsquare  2010-10-05 08:31:45
That only applies if he's wanting to prevent other sites from using those interfaces from their own AJAX interfaces. It'd still be trivial to use it as an API from any non-browser consumer.
Chris Heald  2010-10-05 08:35:27
True. One can initiate the call from the server-side.
Joel  2010-10-05 08:40:43
I read the question in terms of exposing an ajax json api ala flickr etc
redsquare  2010-10-05 08:40:54
+2  A: 

You could use nonces or short-lived CSRF token. Write it into the page and the session and pass it back with your requests. This adds a little bit of impedance, but anyone that's really determined to get your data won't have much of a problem doing so, since they could just screen-scrape a token to use in their own requests.

Why are you wanting to protect those interfaces, and how important is it that people not be able to get access to them outside of your app? If it's really critical that you protect that data, you'll need to go with a solution that isn't client-driven, which unfortunately means no AJAX, as you're likely well aware.

Chris Heald  2010-10-05 08:32:05
Not every site uses session so not always an option
redsquare  2010-10-05 08:39:04
There are other options, like using a hash of `remote ip + endpoint URI + salt`, though that'd require a token written to the page per potential endpoint to be consumed from the page. Obviously, you'd have to adapt it to the constraints of the product. The goal is just to, at some level, require that a user view the calling page in order to make a request to one of those endpoints.
Chris Heald  2010-10-05 08:43:57
Like deceze wrote, every request via HTTP suffers from the same problem. The bigger problem with AJAX is that it is so simple to use the server-side script that handles the Ajax call, since it is designed to get a simple variable and return well-foramtted results. It is just too tempting for external sources to use it if needed. It looks like it comes down to the CSRF problem eventually...
Joel  2010-10-05 08:46:42
+4  A: 

Since the "API" will have to be accessible via normal HTTP requests, it's by definition "public". But, it is playing by the same rules as all other HTTP requests as well. Somebody could submit POST requests to your form submission pages without actually using your site, which is the exact same problem. You can secure your AJAX calls the same way you'd secure your POST submissions; i.e. not at all, or by requiring cookies, or by requiring some special token, or by applying IP filtering or throttling, etc. pp.

deceze  2010-10-05 08:33:55
A: 

From the jQuery .load() function description

Due to browser security restrictions, most "Ajax" requests are subject to the same origin policy; the request can not successfully retrieve data from a different domain, subdomain, or protocol.

Ryan French  2010-10-05 08:34:42
A: 

No. You're sort of creating a public API.

There may be ways witch make it harder to use your API, obfuscation of your code in combinisation with some sort of checksum that only you know how to correctly create.

When writing data to the server you should always authenticate the user anyway. The same system that works for your page now should work for your AJAX calls. (Cookies, HTTP Authentication, ...)

Georg  2010-10-05 08:35:02
A: 

One rudimentary level of 'protection' is to check the HTTP_REFERER header on your server to make sure the request is coming from your own website. This can be spoofed, though, so I wouldn't trust it too much.

Sudhir Jonathan  2010-10-05 08:38:13

related questions

What's safe for a C++ plug-in system?
Timezone lookup from latitude longitude
Working with Common/Utility Libraries
Best Screencasting Program For Windows That Has An API
Notification API for windows
Error handling / error logging in C++ for library/app combo
Who provides a WHOIS API?
Spread vs MPI vs zeromq?
How should I build a good (web) API
How do I recover from an unchecked exception?
Protecting API Secret Keys in a Thick Client application
How do I find the 'temp' directory in Linux?
Best practices for development environment and API dev?
How to detect which blog API
Where do I find information about Blog APIs and how to use them?
Javascript Load Order
How do you spawn another process in C?
Google Analytics Access with C#
Parameter Binding: What happens under the hood?
Picasa Plugin
Is there an API that allows you to find out how many sites link to yours?
Is there any kind of non text interface to MySQL?
looking for a GPS with a good API
API Yahoo India Maps
GUI Programming APIs