similar to: CSRF / cached authenticity tokens / ajax requests

Displaying 20 results from an estimated 1000 matches similar to: "CSRF / cached authenticity tokens / ajax requests"

2014 May 03
0
Putting form_authenticity_token (csrf token) in a cookie instead of in meta tags?
When you generate a default Rails app, it puts this in application.html.erb: <%= csrf_meta_tags %> It does this so the remote forms can be submitted--i.e., so JavaScript can submit a form. When jquery-rails is about to submit a form, it looks for the <meta> tags named "csrf-param" and "csrf-token" and from them it constructs a hidden
2011 Feb 09
2
CSRF Protection Bypass in Ruby on Rails - I don't get it ...
Hi all, My team and I are finding ourselves a little in the dark about the "CSRF Protection Bypass in Ruby on Rails" vulnerability that was announced yesterday - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails 1. Where is the complete Advisory? The Impact section is very unclear. Looking at the comment in the 2.3 patch mentions "Flash animations and
2010 Sep 21
7
Ajax CSRF in Rails3
I''m using rails3. It does not seem to check the authenticity_token when doing a POST using Ajax. I traced this to: module ActionDispatch class Request < Rack::Request ..... def forgery_whitelisted? get? || xhr? || content_mime_type.nil? || ! content_mime_type.verify_request? end end so you don''t check if its a get? or a xhr? (ie ajax request). Is this correct? --
2008 May 07
2
Question on authenticity tokens
Does anyone find them useful? I can see them being good in some cases, but I have many exceptions that occur because of expired sessions. I am also not sure if they are really required for pages that require a login to access. The other place that they cause issues is in javascript requests. I am not using the built-in helpers, and all the javascript exists in separate js files. There is ways
2011 Aug 28
1
Page Caching, CSRF, and Loading a form via Ajax
Hi all, I would like to use page caching on my homepage, but also want to enable people to sign in via a modal dialog sign in form. I could have a setup in which when a user lands on the cached homepage, an Ajax GET request pulls in the whole login form so that there is a fresh authenticity token. That said, besides the additional hit to the server, the CSRF token in the head area of the page
2010 Jul 08
2
rspec-rails how to selectively turn on csrf protection for controller specs?
I''m setting up a Paypal IPN listener and need the create action to not use rails'' default CSRF protection. I''ve got that working fine & test it actually works with cucumber (where I''ve turned CSRF back on, since it''s full-stack testing) but would like my controller spec to mention the need for protect_from_forgery :except => [:create] (and fail
2008 May 07
2
Inserting authenticity token into AJAX request params
Hi all. I am trying to find a way to insert an authenticity_token into the params of an Ajax request before it gets sent. I''ve got this much: Ajax.Responders.register({ onLoading: function(req){ if ((req.options.method == ''post'') && ! Object.keys(req.options.parameters).include(''authenticity_token'')){ ---->
2010 Sep 04
0
CSRF protection not working with jquery ajax post request
Hallo, I want to test the csrf protection of my application but forgery protection is not working with jquery ajax request. I have used Unobtrusive Javascript with jquery I have removed the <%= csrf_meta_tag %> so that my application do not include authenticity token. In my view I have the following code $(function () { $(''#alert'').click(function () { $.ajax({
2013 Jan 09
4
CSRF resets my session in Firefox
Hello all, I''ve been trying to diagnose an issue with CSRF and Firefox specifically. I''ve got an ajax based form, using UJS (yes, I have csrf_meta_tag in my layout and I''ve tried adding the X-CSRF-Token header to the ajax beforeSend events without any luck)... The form just posts some data to an ajax method that creates, saves, and sets the session for a shopper as
2009 Oct 17
3
Security problems with CookieStore and CSRF protection
Dear Rails community, As part of a programming languages/security research group at the University of Maryland, we are building some static analysis tools for Rails applications. These tools work by taking formally specified properties of interest, and then analyzing code to verify that those properties indeed hold. Using these tools, we found some security vulnerabilities in Rails, and we would
2013 Jan 22
2
Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?
I am running a Rails 4 app in semi-production and I constantly get exceptions from crawler bots that use a HEAD HTTP method, which causes the CSRF protection to kick in. Shouldn''t HEAD requests normally be handled like GET requests? I am not sure if I''m just being stupid or that hit is a bug somewhere. Michiel -- You received this message because you are subscribed to the
2011 May 25
1
trouble using jQuery in Rails 3.0.7
I''ve tried to install JQuery a couple of times now, and I''ve followed the steps for Rails UJS mentioned here: https://github.com/rails/jquery-ujs The last time I went ahead and added jQuery UI as well: $ rails generate jquery:install --ui remove public/javascripts/prototype.js remove public/javascripts/effects.js remove public/javascripts/dragdrop.js
2007 Oct 23
6
Auto complete plugin and CSRF protection-- do you care?
Hi, I just noticed that the auto_complete plugin does not work with the CSRF protection in Rails 2.0. I''ve patched the plugin, but I''m wondering if people would like to see the official plugin fixed. If so, speak up and I will write some tests and submit the patch. Krishna --~--~---------~--~----~------------~-------~--~----~ You received this message because you are
2009 Apr 08
0
authenticity problem with jrails ajax
I''m using jrails and I found when I use the authenticity_token in certain javascript calls, that the url works differently in that the paramters in the :with clause get dropped if they are in a json type syntax. Below is an example of a remote_function() call from JS that used to work fine without authenticity. When I enabled authenticity it adds the authenticity token automatically, but
2012 Jan 01
3
'require_tree .' does not seem to be including the available *.js files as expected. Why?
Hi, all, Happy new year :) Referring to http://guides.rubyonrails.org/asset_pipeline.html, it seems that ''require_tree .'' in myapp/app/assets/javascripts/ application.js will include all *.js files in the myapp/app/assets/ javascripts/. I have a few other *.js files in this directory : parts.js, makes.js and categories.js. Here''s an extract from the html file I
2008 Jan 30
2
Invalid authenticity tokens when using subdomains
Does anyone have experience with using subdomains and rails? The example that I used to help me out was from the Advanced Rails Recipes book, but I can''t get it working as it should. I continually get authenticity token errors after logging in. I have had this error before, and for whatever reason after I added a<%= token_tag %> to the form it worked, but it doesn''t work
2011 Feb 11
11
CSRF protection in rails 2.3.11
Hi all, I think CSFR protection broke in rails 2.3.11. As in: it''s turned off now. I tried this in rails 2.3.10 and in 2.3.11 and 2.3.11 seems broken. >rails csrftest >cd csrftest >script/generate scaffold post title:string >rake db:migrate now I visit /posts/new in my browser, use firebug to delete or change the authenticity token, and submit the form. rails 2.3.11: all
2010 Apr 01
4
POST-only logic in protect_from_forgery considered harmful?
Hi folks, I am just getting into rails again after a multi-year stint of mod_perl jobs, which might grant me some newbie-indemnity for the time being - but I''ve found an issue I think warrants discussion. As discussed here - http://api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html - the CSRF protection feature does not kick in for GET requests. This
2010 Feb 22
10
Error: "ActionController::InvalidAuthenticityToken"
Hi there, I have my first Rails app running and I regularly get the following "logged_exception" error message: "ActionController::InvalidAuthenticityToken" Has anybody an idea what might cause this problem? Could it somehow be a "time out" error (like an "AuthenticityToken" which might expire after a certain time, or something along those lines)? Any
2006 Aug 16
3
Question RE Rails associations
Hi, I am new to Ruby and Rails programming and am having difficulty with the following scenario... Consider the following model: class Studio < ActiveRecord::Base has_many :movies has_and_belongs_to_many :actors end class Movie < ActiveRecord::Base belongs_to :studio has_and_belongs_to_many :actors end class Actor < ActiveRecord::Base has_and_belongs_to_many :studios