function ajax_set_verification_header

Sets a response header for ajax.js to trust the response body.

It is not safe to invoke Ajax commands within user-uploaded files, so this header protects against those being invoked.

See also

Drupal.ajax.options.success()

Related topics

2 calls to ajax_set_verification_header()
ajax_deliver in includes/ajax.inc
Packages and sends the result of a page callback as an Ajax response.
ajax_render in includes/ajax.inc
Renders a commands array into JSON.

File

includes/ajax.inc, line 595

Code

function ajax_set_verification_header() {
    $added =& drupal_static(__FUNCTION__);
    // User-uploaded files cannot set any response headers, so a custom header is
    // used to indicate to ajax.js that this response is safe. Note that most
    // Ajax requests bound using the Form API will be protected by having the URL
    // flagged as trusted in Drupal.settings, so this header is used only for
    // things like custom markup that gets Ajax behaviors attached.
    if (empty($added)) {
        drupal_add_http_header('X-Drupal-Ajax-Token', '1');
        // Avoid sending the header twice.
        $added = TRUE;
    }
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.