I just saw this: http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses
Should we be doing that in Moodle?
I just saw this: http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses
Should we be doing that in Moodle?
Sounds awesome
I would assume that creating CSRF tokens instead is a better way of doing it for Moodle.
Google essentially does this because it would require a humongous load to create CSRF tokens for all their JSOP requests.
Also, there are still ways around the while(1); where as CSRF tokens are watertight. (the while(1); only stops inclusion in <script> tags)
Dumb grep:
$ git grep -l 'AJAX_SCRIPT' | xargs grep -L sesskey availability/condition/date/ajax.php badges/ajax.php badges/assertion.php course/category.ajax.php course/dndupload.php course/format/formatlegacy.php course/format/topics/lib.php course/format/weeks/lib.php enrol/locallib.php help_ajax.php install.php lib/ajax/getnavbranch.php lib/ajax/getsiteadminbranch.php lib/outputfactories.php lib/setuplib.php login/token.php mod/assign/feedback/editpdf/ajax_progress.php mod/glossary/showentry_ajax.php report/loglive/loglive_ajax.php tag/tag_autocomplete.php webservice/pluginfile.php webservice/upload.php
OK, so currently we have a problem. The question is, how shall we solve it? The while (1) thing, or requiring sesskey in all AJAX scripts?
David's assumption seems logical to me.
I guess we could make codechecker scream if you define AJAX_SCRIPT, but don't check sesskey? Or we could, probably make it a developer debug warning somehow, but will anyone see developer debug messages during an ajax request? (It only works if you send the messages to the logs, not the screen.)