Suresh Kumar
2014-Nov-09 06:54 UTC
Rails4 - How to receive and send JSON data securely through Ajax and store it?
I have a page(like https://www.helloabc.com/han.html) that is loaded
inside an iframe on an app of different domain. I added the following to
enable loading the page in an iframe to remove the error("Refused to
display document because display forbidden by X-Frame-Options").
config.action_dispatch.default_headers['X-Frame-Options'] =
"ALLOW-FROM
https://xyz.com"
The iframe page sends data through ajax json to another page as follows
.
$.ajax({
url: 'https://www.helloabc.com/hello',
type: 'POST',
dataType: 'json',
data: {
"url" : hjurl,
"data" : senddatavar
},
success: function(a){
console.log("success");
console.log(a.message);
},
error: function(request, status, error) {
console.log("error");
}
});
I received it as follows
heroku[router]: at=info method=POST path="/hello"
host=www.helloabc.com
request_id=7163f18c-16c8-47ab-b4bf-602d12c9c67d fwd="117.203.154.1"
dyno=web.1 connect=3ms service=13ms status=422 bytes=359
app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07
12:15:59 +0000
app[web.1]: Completed 422 Unprocessable Entity in 1ms
app[web.1]: Processing by HomePageController#hellojson as JSON
app[web.1]: Parameters:
{"url"=>"https://abc.yupp.com/hs/_/krfdsgea",
"data"=>{"0"=>{"id"=>"231bacacdsf928",
"person"=>{"id"=>"2342762436",
"dName"=>"wwwww",
"image"=>{"url"=>"https://sbc/photo.jpg"}},}}}
app[web.1]: Can't verify CSRF token authenticity
app[web.1]:
app[web.1]: ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
So I changed my controller as follows to avoid this problem
class HomePageController < ApplicationController
skip_before_filter :verify_authenticity_token, only: [:hellojson]
def hello
end
def hellojson
respond_to do |format|
format.html
format.json { render :json => { :status => 'Ok', :message
=>
'Received'}, :status => 200 }
end
end
end
I just read that adding "skip_before_filter
:verify_authenticity_token"
will lead to serious security problem. How do I solve this?
After this I am able to receive data and I receive 200 ok in my iframe
page.
heroku[router]: at=info method=POST path="/hello"
host=www.helloabc.com
request_id=ac3ed869-75cc-484f-94ea-65ea2fccbb9e fwd="117.203.154.1"
dyno=web.1 connect=3ms service=26ms status=200 bytes=900
app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07
16:45:29 +0000
app[web.1]: Processing by HomePageController#hellojson as JSON
app[web.1]: Parameters:
{"url"=>"https://abc.yupp.com/hs/_/krki5gea",
"data"=>{"0"=>{"id"=>"937bacaeb0f928",
"person"=>{"id"=>"1984762436",
"dName"=>"zzzzz",
"image"=>{"url"=>"https://sbc/photo.jpg"}},
}}}
app[web.1]: Completed 200 OK in 2ms (Views: 0.4ms | ActiveRecord: 0.0ms)
I am new to rails. I don't know how to grab this data and store it. And
I dont know how to do it the right way.
Can anyone please share what is the best practice to send data through
ajax securely and store it?
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/0808cbcbed1d065de93fe14bb04adf79%40ruby-forum.com.
For more options, visit https://groups.google.com/d/optout.