Monthly Archives: August 2005

Photolog Fixed

To the (literally) hundreds of you who wrote in about the broken photos the past few weeks, I’m happy to say that the photolog is back online. It broke because while 95% of Gallery works fine with register_globals off, apparently some bit of code somewhere doesn’t. If you haven’t been to the photolog in a while there are some fun pictures from Dallas, Seattle, and New York.

AJAX and CSRF

When working on some new AJAX features for bbPress and WordPress we’ve noticed that AJAX requests don’t seem to send HTTP_REFERER values. We check referrers as one level of protection against cross-site-scripting, or XSS, so when they’re not set we aren’t able to use that value. How are most people using AJAX protecting against XSS? It seems the same things we’re doing to make things easily accesible in a dynamic fashion are also opening new vectors for attack.