/** * Returns true if the request could be initiated * from another site and still using the user cookies. */ private static function isPossibleCrossSiteSessionRiding($request) { // Ajax calls are safe. // The X_REQUESTED_WITH header cannot be set without doing an Ajax call. // And Ajax calls cannot be cross-site. if ($request->isXmlHttpRequest()) { return false; } // REST calls with a valid API key are OK. $apikey = $request->getParameter('af_apikey'); if ($apikey) { if (afApikeySecurityFilter::isCurrentUserKey($apikey)) { return false; } } return true; }