Forum: Ruby on Rails ajax in rails is a security violation

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Adam D. (Guest)
on 2006-01-04 19:13
(Received via mailing list)
Does anybody have any issues with the AJAX code inside rails?  Whenever
i
use any sites i have built, or even external sites (such as basecamphq)
my
internal security device blocks access to the Ajax piece with a  400 Bad
Request ( i scoured the net for other ajax examples and no isses
anywhere
else).  I think there is something in the AJAX code of rails that is not
implemented correctly.  Has anybody else come across this ?

thanks
adam
Alex Y. (Guest)
on 2006-01-04 19:20
(Received via mailing list)
Adam D. wrote:
>  Does anybody have any issues with the AJAX code inside rails?  Whenever
> i use any sites i have built, or even external sites (such as
> basecamphq) my internal security device blocks access to the Ajax piece
> with a  400 Bad Request ( i scoured the net for other ajax examples and
> no isses anywhere else).  I think there is something in the AJAX code of
> rails that is not implemented correctly.  Has anybody else come across
> this ?

Nope...  What is this internal security device of which you speak?
Rick O. (Guest)
on 2006-01-04 19:26
(Received via mailing list)
On 1/4/06, Adam D. <removed_email_address@domain.invalid> wrote:
>  Does anybody have any issues with the AJAX code inside rails?  Whenever i
> use any sites i have built, or even external sites (such as basecamphq) my
> internal security device blocks access to the Ajax piece with a  400 Bad
> Request ( i scoured the net for other ajax examples and no isses anywhere
> else).  I think there is something in the AJAX code of rails that is not
> implemented correctly.  Has anybody else come across this ?
>
> thanks
> adam

Perhaps you could explain what the criteria your 'internal security
device' uses to determine if a request is a bad one.  AJAX requests
are the same as HTTP requests for the most part.  The only thing I can
think of off hand are the custom header that prototype adds.  But, I
believe it's a perfectly valid header extension.

--
rick
http://techno-weenie.net
Adam D. (Guest)
on 2006-01-05 04:42
(Received via mailing list)
why does prototype add custom headers?  Is there a way to test it
without those headers?

the device is a spyware/malware proxy by a company called Finjan.  It
seems to only block requests for Rails XMLHttp requests, and i am
trying to figure out why.  the unique header is definitely one of the
possibilities, is there an easy way to disable this ?

thanks
adam
Rick O. (Guest)
on 2006-01-05 04:51
(Received via mailing list)
On 1/4/06, Adam D. <removed_email_address@domain.invalid> wrote:
> why does prototype add custom headers?  Is there a way to test it
> without those headers?
>
> the device is a spyware/malware proxy by a company called Finjan.  It
> seems to only block requests for Rails XMLHttp requests, and i am
> trying to figure out why.  the unique header is definitely one of the
> possibilities, is there an easy way to disable this ?

Look at Ajax.Request.setRequestHeaders(), in prototype.js.  It sends
info on the version of prototype that's being used.  One major use is
the fact that I can detect prototype requests in controllers and treat
them differently than normal requests.

Easy way to disable it?  Not for other websites unfortunately.

--
rick
http://techno-weenie.net
Joe Van D. (Guest)
on 2006-01-05 04:58
(Received via mailing list)
On 1/4/06, Adam D. <removed_email_address@domain.invalid> wrote:
> why does prototype add custom headers?  Is there a way to test it
> without those headers?
>
> the device is a spyware/malware proxy by a company called Finjan.  It
> seems to only block requests for Rails XMLHttp requests, and i am
> trying to figure out why.  the unique header is definitely one of the
> possibilities, is there an easy way to disable this ?

Sounds like Finjan is broken.
Adam D. (Guest)
on 2006-01-05 18:44
(Received via mailing list)
well i would agree that the device is broken, but every other example of
an
AJAX example works fine with XMLHttp request, only rails AJAX samples
are
broken, which is why i tried to figure out the difference. At this point
it
seems to be the custom headers that may be throwing it off.

thanks
adam
This topic is locked and can not be replied to.