Depending on how your column is set up, you may have a couple options. If what you're returning is pretty simple, you could embed javascript into the layout editor code view to access the dom of the other columns values you want to check. Another option which is easier to maintain and control, and is closer to what you mentioned is adding a transformation which calls out to an ObjectScript class function. From there you can access the context of whatever data you're pulling and check the values right there, and return whatever you want in your column.

It's the zero point for MUMPS based languages. It shows that way if your session has no timeout. From James Poitras on why:

"When I decided on specifications for the date routine, I remembered reading of the oldest (one of the oldest?) U.S. citizen, a Civil War veteran, who was 121 years old at the time. Since I wanted to be able to represent dates in a Julian-type form so that age could be easily calculated and to be able to represent any birth date in the numeric range selected, I decided that a starting date in the early 1840s would be ‘safe.’ Since my algorithm worked most logically when every fourth year was a leap year, the first year was taken as 1841. The zero point was then December 31, 1840."

Taken from http://www.faqs.org/faqs/m-technology-faq/part1/

Checking for the existence of a custom header, as I mentioned, is a good baseline because a browser cannot be coerced into setting one in these requests. But you're right that this isn't the OWASP recommendation, because it isn't proactive like the token method and is restricted to rest calls. The example I have is definitely not comprehensive, but due to the lack of support for these vulnerabilities I was wanting to discuss this.

Not technically. CORS exists to prevent certain responses from being read by another origin, and while a CSRF attack comes from another origin, there is a percentage of cases where the origin/referer is not included or is complex to identify correctly (the server is being indirectly accessed via proxy or some type of F5 config). See "Identifying the Target Origin" here which mentions how token based is preferred due to the work required in the long run, and how using origin/referer isn't 100% reliable:

https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html

A good CORS policy helps considerably though and I'd say is necessary. Just like how https doesn't directly stop CSRF, but it certainly assists in other areas that help mitigate these vulnerabilities.

I got it working, just needed some dumb troubleshooting and a terminal restart. Cut me some slack! I've never done a code golf before wink

This is really cool! But the output from this has the integers next to the strings. For example shouldn't:

FizzBuzz90

Instead be:

FizzBuzz