[cykod]

Isn't this solved by just requiring the CSRF token on any JS get requests? (In fact, isn't this just a cross-site request forgery with a different verb than we're used to?)

I know it's only generally checked on posts, but turning it on for any xhr calls seems like it would solve any potential data leakage.

[5vforest]

Seems to me like this solution, or checking for `request.xhr?` are the best suggestions so far.

[why-el]

This one was mentioned by Homakov on Twitter I think. Though I would love to have it wrap the responder instead.

[1qaz2wsx3edc]

More importantly isn't this solved via authentication (basic auth).

[ketralnis]

basic/digest auth doesn't solve this if you've recently used the target site any more than cookies do, because your browser caches the authentication for some time and won't ask you again.

Also, very few web applications use basic auth, most use cookies.

[homakov]

it can be a solution, not ideal: proper non-xhr insertions on site.com will stop working. but for first step it's good enough.