Stricter recognition of an Ajax request #10118
Description
Proposal
We should be more strict on recognizing of a request type. Instead of using the _remote parameter we should check for existence of the X-Roundcube-Request header (which we already add to ajax requests invoked by javascript code).
Motivation and context
We have a distinction between HTML and AJAX requests. This distinction tells the code what is the expected response type, but also has some security implications.
This change would make abusing the system a bit harder as you'd not be able to access code paths reserved for ajax requests with a simple URL (e.g. a prepared link click).