joshdeeden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2008-Jan-23 21:26 UTC
CSRF / cached authenticity tokens / ajax requests
I''m going to go out on a limb here and say the new CSRF protection in
Rails is flawed. Why? Forget about caching if you care to use it.
Consider the following:
<% cache do %>
<%= link_to_remote "Add To Favorites", :url => {:controller
=>
"favorites", :action => "create", "movie_id"
=> 2} %>
<% end %>
# Output
<a onclick="new Ajax.Request(''/favorites?movie_id=2'',
{asynchronous:true, evalScripts:true, method:''post'',
parameters:''authenticity_token='' +
encodeURIComponent(''a85178cac134447c87a22495662125024c1ae57e'')});
return false;" href="#">Add To Favorites</a>
The trouble is the cached (and consequently invalid)
authenticity_token being sent in the POST, which triggers the CSRF in
Rails, thereby rejecting the request. That''s no fun.
Then again, maybe I''m an incompetent retard and the CSRF protection in
Rails is flawless and I''m totally missing something. Please,
somebody, educate me if this is the case.
Thanks,
Josh
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
The ''flaw'' is in the programmer that thinks he can cache dynamic content such as.... -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
joshdeeden-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2008-Jan-25 03:10 UTC
Re: CSRF / cached authenticity tokens / ajax requests
I don''t see your point. Please clarify. Thanks, Josh On Jan 24, 3:39 am, Keynan Pratt <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> The ''flaw'' is in the programmer that thinks he cancachedynamic content > such as.... > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---