Ajax CSRF in Rails3

I’m using rails3. It does not seem to check the authenticity_token
when doing a POST using Ajax. I traced this to:

module ActionDispatch
class Request < Rack::Request

def forgery_whitelisted?
get? || xhr? || content_mime_type.nil? || !
content_mime_type.verify_request?
end
end

so you don’t check if its a get? or a xhr? (ie ajax request). Is this
correct?

On Sep 21, 7:43 am, Ft51 [email protected] wrote:

end

so you don’t check if its a get? or a xhr? (ie ajax request). Is this
correct?

Seems correct to me:
GET requests shouldn’t be doing anything where it matters if the
request is coming from another domain.
XHR requests don’t support cross-domain calls. So you don’t have to
worry about it coming from another domain.

Thanks, that makes sense!

doesnt $.getScript passes from data from one domain to another?

On Sep 21, 12:23 pm, radhames brito [email protected] wrote:

doesnt $.getScript passes from data from one domain to another?

I doubt it. It probably uses XMLHttpRequest

On Sep 21, 2:30 pm, radhames brito [email protected] wrote:

just comfirmed an getscript does cross-domain calls

some guys are using it to send https data over http

http://www.viget.com/extend/secure-ajax-from-non-secure-pages/

Actually, that page specifically says that it doesn’t work cross
domain, or even cross protocol:

“the JavaScript same origin policy prevents you from making an Ajax
request from your non-secure page to a secure page”

And the example doesn’t show any use of cross domain or cross protocol
calls.

just comfirmed an getscript does cross-domain calls

some guys are using it to send https data over http

http://www.viget.com/extend/secure-ajax-from-non-secure-pages/

class CryptoKeysController < ApplicationController
ssl_required :show

$.getScript(’/profiles/crypto_key?callback=setCryptData’,

he is calling

the show action with htts from a non https page

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs