While answering this question on Security.SE, I realized that there may be a need for a way to disable AJAX requests from all domains, including the original domain itself. This would be useful if I have a site which hosts user-submitted JS and I don't want that JS to be able to access my site via AJAX on a modern browser (similar to how cross-domain AJAX is prohibited unless set in a header)
Is there any way I can disable same-origin AJAX in PHP or Apache? I'm looking for something similar to the Access-Control-Allow-Origin: *
header (set via header()
or .htaccess
), except that the effect is the opposite -- the browser is told not to allow any AJAX calls to the page.
I know that the end-user can always mess with the headers on their own and allow AJAX. I don't mind that, I want to prevent oblivious visitors from being affected by same-origin AJAX in uploaded code.