Rails - Aug 2008 - protect_from_forgery :only => [:create, :delete, :update] what does this do exactly?

protect_from_forgery :only => [:create, :delete, :update]

Questions:

(1)why do i need to put it in when i get an authenticate token error
from passing an :id from the controller through AJAX?
(2)are there any disadvantages in doing this(does this expose security
loopholes)?
(3)If it is that good should i use it in every controller?


from ruby api( i still don''t understand what this means):
Protecting controller actions from CSRF attacks by ensuring that all
forms are coming from the current web application, not a forged link
from another site, is done by embedding a token based on the session
(which an attacker wouldn‘t know) in all forms and Ajax requests
generated by Rails and then verifying the authenticity of that token
in the controller. Only HTML/JavaScript requests are checked, so this
will not protect your XML API (presumably you‘ll have a different
authentication scheme there anyway). Also, GET requests are not
protected as these should be indempotent anyway.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

(3)If it is that good should i use it in every controller?.  Somebody
must thinkk so because it is the default in every app built.



On Aug 27, 9:12 am, tyliong
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> protect_from_forgery :only => [:create, :delete, :update]
>
> Questions:
>
> (1)why do i need to put it in when i get an authenticate token error
> from passing an :id from the controller through AJAX?
> (2)are there any disadvantages in doing this(does this expose security
> loopholes)?
> (3)If it is that good should i use it in every controller?
>
> from ruby api( i still don''t understand what this means):
> Protecting controller actions from CSRF attacks by ensuring that all
> forms are coming from the current web application, not a forged link
> from another site, is done by embedding a token based on the session
> (which an attacker wouldn‘t know) in all forms and Ajax requests
> generated by Rails and then verifying the authenticity of that token
> in the controller. Only HTML/JavaScript requests are checked, so this
> will not protect your XML API (presumably you‘ll have a different
> authentication scheme there anyway). Also, GET requests are not
> protected as these should be indempotent anyway.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

In production mode it’s a default? Sorry still haven''t got my app out
of
development mode so I have no idea what happens during production.

-----Original Message-----
From: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
[mailto:rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org] On Behalf Of
Jorg Lueke
Sent: Wednesday, August 27, 2008 10:18 PM
To: Ruby on Rails: Talk
Subject: [Rails] Re: protect_from_forgery :only => [:create, :delete,
:update] what does this do exactly?


(3)If it is that good should i use it in every controller?.  Somebody
must thinkk so because it is the default in every app built.



On Aug 27, 9:12 am, tyliong
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> protect_from_forgery :only => [:create, :delete, :update]
>
> Questions:
>
> (1)why do i need to put it in when i get an authenticate token error
> from passing an :id from the controller through AJAX?
> (2)are there any disadvantages in doing this(does this expose security
> loopholes)?
> (3)If it is that good should i use it in every controller?
>
> from ruby api( i still don''t understand what this means):
> Protecting controller actions from CSRF attacks by ensuring that all
> forms are coming from the current web application, not a forged link
> from another site, is done by embedding a token based on the session
> (which an attacker wouldn‘t know) in all forms and Ajax requests
> generated by Rails and then verifying the authenticity of that token
> in the controller. Only HTML/JavaScript requests are checked, so this
> will not protect your XML API (presumably you‘ll have a different
> authentication scheme there anyway). Also, GET requests are not
> protected as these should be indempotent anyway.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

It''s the default in any rails 2.0 project.

On Aug 27, 9:54 am, "Tan YL"
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> In production mode it’s a default? Sorry still haven''t got my app
out of
> development mode so I have no idea what happens during production.
>
> -----Original Message-----
> From: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
>
> [mailto:rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org] On Behalf
Of Jorg Lueke
> Sent: Wednesday, August 27, 2008 10:18 PM
> To: Ruby on Rails: Talk
> Subject: [Rails] Re: protect_from_forgery :only => [:create, :delete,
> :update] what does this do exactly?
>
> (3)If it is that good should i use it in every controller?.  Somebody
> must thinkk so because it is the default in every app built.
>
> On Aug 27, 9:12 am, tyliong
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > protect_from_forgery :only => [:create, :delete, :update]
>
> > Questions:
>
> > (1)why do i need to put it in when i get an authenticate token error
> > from passing an :id from the controller through AJAX?
> > (2)are there any disadvantages in doing this(does this expose security
> > loopholes)?
> > (3)If it is that good should i use it in every controller?
>
> > from ruby api( i still don''t understand what this means):
> > Protecting controller actions from CSRF attacks by ensuring that all
> > forms are coming from the current web application, not a forged link
> > from another site, is done by embedding a token based on the session
> > (which an attacker wouldn‘t know) in all forms and Ajax requests
> > generated by Rails and then verifying the authenticity of that token
> > in the controller. Only HTML/JavaScript requests are checked, so this
> > will not protect your XML API (presumably you‘ll have a different
> > authentication scheme there anyway). Also, GET requests are not
> > protected as these should be indempotent anyway.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

How come I have to add it in my controller to get rid of token error?

-----Original Message-----
From: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
[mailto:rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org] On Behalf Of
Jorg Lueke
Sent: Thursday, August 28, 2008 9:46 PM
To: Ruby on Rails: Talk
Subject: [Rails] Re: protect_from_forgery :only => [:create, :delete,
:update] what does this do exactly?


It''s the default in any rails 2.0 project.

On Aug 27, 9:54 am, "Tan YL"
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> In production mode it''s a default? Sorry still haven''t
got my app out of
> development mode so I have no idea what happens during production.
>
> -----Original Message-----
> From: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
>
> [mailto:rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org] On Behalf
Of Jorg Lueke
> Sent: Wednesday, August 27, 2008 10:18 PM
> To: Ruby on Rails: Talk
> Subject: [Rails] Re: protect_from_forgery :only => [:create, :delete,
> :update] what does this do exactly?
>
> (3)If it is that good should i use it in every controller?.  Somebody
> must thinkk so because it is the default in every app built.
>
> On Aug 27, 9:12 am, tyliong
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > protect_from_forgery :only => [:create, :delete, :update]
>
> > Questions:
>
> > (1)why do i need to put it in when i get an authenticate token error
> > from passing an :id from the controller through AJAX?
> > (2)are there any disadvantages in doing this(does this expose security
> > loopholes)?
> > (3)If it is that good should i use it in every controller?
>
> > from ruby api( i still don''t understand what this means):
> > Protecting controller actions from CSRF attacks by ensuring that all
> > forms are coming from the current web application, not a forged link
> > from another site, is done by embedding a token based on the session
> > (which an attacker wouldn''t know) in all forms and Ajax
requests
> > generated by Rails and then verifying the authenticity of that token
> > in the controller. Only HTML/JavaScript requests are checked, so this
> > will not protect your XML API (presumably you''ll have a
different
> > authentication scheme there anyway). Also, GET requests are not
> > protected as these should be indempotent anyway.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

The protect_from_forgery is on by default to prevent Cross Site
Request Forgery attacks.

You don''t normally have to add this to your controller. What you are
actually doing in this case is adding the call so that your ajax
method is NOT protected from attacks.
It might make more sense to use the following:

protect_from_forgery :except => :your_ajax_method

The end result should be the same.
And listing which methods should not have protection is probably a
more robust solution, since forgetting to add to the :except list will
generate the kind of error you are seeing. Forgetting to add methods
to the :only list will not generate any error messages.

If you do not want to exclude your ajax method, your ajax submission
needs to include the token. This is done automatically by the
framework for most forms.

On Aug 28, 8:46 am, "Tan YL"
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> How come I have to add it in my controller to get rid of token error?
>
> -----Original Message-----
> From: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
>
> [mailto:rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org] On Behalf
Of Jorg Lueke
> Sent: Thursday, August 28, 2008 9:46 PM
> To: Ruby on Rails: Talk
> Subject: [Rails] Re: protect_from_forgery :only => [:create, :delete,
> :update] what does this do exactly?
>
> It''s the default in any rails 2.0 project.
>
> On Aug 27, 9:54 am, "Tan YL"
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > In production mode it''s a default? Sorry still
haven''t got my app out of
> > development mode so I have no idea what happens during production.
>
> > -----Original Message-----
> > From: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
>
> > [mailto:rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org] On
Behalf Of Jorg Lueke
> > Sent: Wednesday, August 27, 2008 10:18 PM
> > To: Ruby on Rails: Talk
> > Subject: [Rails] Re: protect_from_forgery :only => [:create,
:delete,
> > :update] what does this do exactly?
>
> > (3)If it is that good should i use it in every controller?.  Somebody
> > must thinkk so because it is the default in every app built.
>
> > On Aug 27, 9:12 am, tyliong
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > protect_from_forgery :only => [:create, :delete, :update]
>
> > > Questions:
>
> > > (1)why do i need to put it in when i get an authenticate token
error
> > > from passing an :id from the controller through AJAX?
> > > (2)are there any disadvantages in doing this(does this expose
security
> > > loopholes)?
> > > (3)If it is that good should i use it in every controller?
>
> > > from ruby api( i still don''t understand what this
means):
> > > Protecting controller actions from CSRF attacks by ensuring that
all
> > > forms are coming from the current web application, not a forged
link
> > > from another site, is done by embedding a token based on the
session
> > > (which an attacker wouldn''t know) in all forms and Ajax
requests
> > > generated by Rails and then verifying the authenticity of that
token
> > > in the controller. Only HTML/JavaScript requests are checked, so
this
> > > will not protect your XML API (presumably you''ll have a
different
> > > authentication scheme there anyway). Also, GET requests are not
> > > protected as these should be indempotent anyway.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

how do i find what ajax method is being used?. could you possibly give
an example?

On Aug 29, 5:01 am, hitch
<larryhitc...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> The protect_from_forgery is on by default to prevent Cross Site
> Request Forgery attacks.
>
> You don''t normally have to add this to your controller. What you
are
> actually doing in this case is adding the call so that your ajax
> method is NOT protected from attacks.
> It might make more sense to use the following:
>
> protect_from_forgery :except => :your_ajax_method
>
> The end result should be the same.
> And listing which methods should not have protection is probably a
> more robust solution, since forgetting to add to the :except list will
> generate the kind of error you are seeing. Forgetting to add methods
> to the :only list will not generate any error messages.
>
> If you do not want to exclude your ajax method, your ajax submission
> needs to include the token. This is done automatically by the
> framework for most forms.
>
> On Aug 28, 8:46 am, "Tan YL"
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > How come I have to add it in my controller to get rid of token error?
>
> > -----Original Message-----
> > From: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
>
> > [mailto:rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org] On
Behalf Of Jorg Lueke
> > Sent: Thursday, August 28, 2008 9:46 PM
> > To: Ruby on Rails: Talk
> > Subject: [Rails] Re: protect_from_forgery :only => [:create,
:delete,
> > :update] what does this do exactly?
>
> > It''s the default in any rails 2.0 project.
>
> > On Aug 27, 9:54 am, "Tan YL"
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > In production mode it''s a default? Sorry still
haven''t got my app out of
> > > development mode so I have no idea what happens during
production.
>
> > > -----Original Message-----
> > > From: rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
>
> > > [mailto:rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org]
On Behalf Of Jorg Lueke
> > > Sent: Wednesday, August 27, 2008 10:18 PM
> > > To: Ruby on Rails: Talk
> > > Subject: [Rails] Re: protect_from_forgery :only => [:create,
:delete,
> > > :update] what does this do exactly?
>
> > > (3)If it is that good should i use it in every controller?.
 Somebody
> > > must thinkk so because it is the default in every app built.
>
> > > On Aug 27, 9:12 am, tyliong
<tyli...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > > protect_from_forgery :only => [:create, :delete, :update]
>
> > > > Questions:
>
> > > > (1)why do i need to put it in when i get an authenticate
token error
> > > > from passing an :id from the controller through AJAX?
> > > > (2)are there any disadvantages in doing this(does this
expose security
> > > > loopholes)?
> > > > (3)If it is that good should i use it in every controller?
>
> > > > from ruby api( i still don''t understand what this
means):
> > > > Protecting controller actions from CSRF attacks by ensuring
that all
> > > > forms are coming from the current web application, not a
forged link
> > > > from another site, is done by embedding a token based on the
session
> > > > (which an attacker wouldn''t know) in all forms and
Ajax requests
> > > > generated by Rails and then verifying the authenticity of
that token
> > > > in the controller. Only HTML/JavaScript requests are
checked, so this
> > > > will not protect your XML API (presumably you''ll
have a different
> > > > authentication scheme there anyway). Also, GET requests are
not
> > > > protected as these should be indempotent anyway.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---