Ft51
September 21, 2010, 1:46pm
1
I’m using rails3. It does not seem to check the authenticity_token
when doing a POST using Ajax. I traced this to:
module ActionDispatch
class Request < Rack::Request
…
def forgery_whitelisted?
get? || xhr? || content_mime_type.nil? || !
content_mime_type.verify_request?
end
end
so you don’t check if its a get? or a xhr? (ie ajax request). Is this
correct?
Ft51
September 21, 2010, 2:17pm
2
On Sep 21, 7:43 am, Ft51 [email protected] wrote:
end
so you don’t check if its a get? or a xhr? (ie ajax request). Is this
correct?
Seems correct to me:
GET requests shouldn’t be doing anything where it matters if the
request is coming from another domain.
XHR requests don’t support cross-domain calls. So you don’t have to
worry about it coming from another domain.
Ft51
September 21, 2010, 3:45pm
3
Thanks, that makes sense!
Ft51
September 21, 2010, 6:25pm
4
doesnt $.getScript passes from data from one domain to another?
Ft51
September 21, 2010, 8:21pm
5
On Sep 21, 12:23 pm, radhames brito [email protected] wrote:
doesnt $.getScript passes from data from one domain to another?
I doubt it. It probably uses XMLHttpRequest
Ft51
September 21, 2010, 9:52pm
6
On Sep 21, 2:30 pm, radhames brito [email protected] wrote:
just comfirmed an getscript does cross-domain calls
some guys are using it to send https data over http
Secure Ajax from Non-Secure Pages | Viget
Actually, that page specifically says that it doesn’t work cross
domain, or even cross protocol:
“the JavaScript same origin policy prevents you from making an Ajax
request from your non-secure page to a secure page”
And the example doesn’t show any use of cross domain or cross protocol
calls.
Ft51
September 21, 2010, 8:31pm
7
just comfirmed an getscript does cross-domain calls
some guys are using it to send https data over http
Ok, here’s a problem: you have a login form on your web app that needs to be protected via SSL. In addition, on every other page – none of which use SSL – you have a miniature login form that submits via Ajax. Of course, the JavaScript same origin...
Ft51
September 21, 2010, 10:28pm
8
class CryptoKeysController < ApplicationController
ssl_required :show
$.getScript(’/profiles/crypto_key?callback=setCryptData’,
he is calling
the show action with htts from a non https page