/**
* Returns true if the request could be initiated
* from another site and still using the user cookies.
*/
private static function isPossibleCrossSiteSessionRiding($request)
{
// Ajax calls are safe.
// The X_REQUESTED_WITH header cannot be set without doing an Ajax call.
// And Ajax calls cannot be cross-site.
if ($request->isXmlHttpRequest()) {
return false;
}
// REST calls with a valid API key are OK.
$apikey = $request->getParameter('af_apikey');
if ($apikey) {
if (afApikeySecurityFilter::isCurrentUserKey($apikey)) {
return false;
}
}
return true;
}
