Rails 2.1 Request Forgery Protection is incompatible with AtomPub implementations New 'verifiable_request_format?' function (action_controller/request_forgery_protection.rb:101) is banning DELETE requests, where request.content_type is nil It also forbids posting any type of media, like images. This should we solved adding every content type to @@unverifiable_types in Mime::Type Any comments?
on 2008-06-20 18:50
on 2008-06-20 19:05
On Jun 20, 2008, at 6:49 PM, Antonio Tapiador del Dujo wrote: > adding every content type to @@unverifiable_types in Mime::Type > > Any comments? A quick workaround would be to turn off forgery protection by removing 'protect_from_forgery' from the ApplicationController. Manfred
on 2008-06-20 20:20
El Friday 20 June 2008 19:04:04 Manfred Stienstra escribió:> On Jun 20, 2008, at 6:49 PM, Antonio Tapiador del Dujo wrote: > > adding every content type to @@unverifiable_types in Mime::Type > > > > Any comments? > > A quick workaround would be to turn off forgery protection by removing > 'protect_from_forgery' from the ApplicationController. Sure, but I'd like that functionality enabled for common requests
on 2008-06-29 23:03
On 6/20/08, Antonio Tapiador del Dujo <atapiador@dit.upm.es> wrote: > > Rails 2.1 Request Forgery Protection is incompatible with AtomPub > implementations > > New 'verifiable_request_format?' function > (action_controller/request_forgery_protection.rb:101) is banning DELETE > requests, where request.content_type is nil Shouldn't the content type be application/atom+xml? :atom is in unverifiable_types. > It also forbids posting any type of media, like images. This should we solved > adding every content type to @@unverifiable_types in Mime::Type > > Any comments? According to the docs, you can skip request forgery protection by skipping the before_filter: skip_before_filter :verify_authenticity_token Do you have any suggestions to make this easier for atompub implementors? -- Rick Olson http://lighthouseapp.com http://weblog.techno-weenie.net http://mephistoblog.com
on 2008-06-30 17:34
El Sunday 29 June 2008 23:02:58 Rick Olson escribió:> On 6/20/08, Antonio Tapiador del Dujo <atapiador@dit.upm.es> wrote: > > Rails 2.1 Request Forgery Protection is incompatible with AtomPub > > implementations > > > > New 'verifiable_request_format?' function > > (action_controller/request_forgery_protection.rb:101) is banning DELETE > > requests, where request.content_type is nil > > Shouldn't the content type be application/atom+xml? :atom is in > unverifiable_types. I guess it's set to nil by Rails, because of the request body being blank. > > It also forbids posting any type of media, like images. This should we > > solved adding every content type to @@unverifiable_types in Mime::Type > > > > Any comments? > > According to the docs, you can skip request forgery protection by > skipping the before_filter: > > skip_before_filter :verify_authenticity_token This would prevent forgery protection working for HTML requests > Do you have any suggestions to make this easier for atompub implementors? I would suggest some kind of white list like Mime::Type@@unverifiable_types but for respond_to formats
Enable email notification
Enable multi-page view