Homakov, What Godfrey suggest may be implemented on the server side instead of client side without being hacked so easily?
We may raise an exception by default when the host is not allowed, assuming that request.host is trustable. On Saturday, November 30, 2013 7:49:42 AM UTC-2, Courtenay Gasking wrote: > > Since POSTs already require a csrf token, the rjs calls should do the same > thing. Make them require the auth token in the url, or even better, have > rails generate a hash of the auth token and the url and compare on the > server. Thus you can't call any rjs without using rails helpers to generate > the correct url and matching token, and the new token would not be leaking > the original csrf token via url or referer. It's effectively using methods > similar to how we build APIs with hmac signing of the request, but in a > lightweight form and only in the background for RJS (or whatever else you > want to protect, I suppose). This seems a little out of the scope of the > core rails project, though? > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
