Dee Zsombor
2008-Mar-19 11:47 UTC
CSRF protection for ajax requests by double submitting cookies - Some PATCH love wanted.
Currently the authenticity_token is attached to each ajax snippet rails generates. This is fine when you rely exclusively on rails helpers but it makes it overly difficult for hand written Javascript. I''ve propose a small change to prototype.js so the cookies be sent attached to each ajax request via an additional _cookie parameter. If the _cookie matches the one session cookie we know it is a valid request even though authenticity_token was not attached. So give some love here: http://dev.rubyonrails.org/ticket/11071 This not only gives CSRF protection for all JS requests (manual or not) but will also automatically make Autocomplete and InPlaceEditing and other plugins work. -- Company - http://primalgrasp.com Thoughts - http://deezsombor.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---