When you generate a default Rails app, it puts this in
application.html.erb:
<%= csrf_meta_tags %>
It does this so the remote forms can be submitted–i.e., so JavaScript
can
submit a form. When jquery-rails is about to submit a form, it looks for
the tags named “csrf-param” and “csrf-token” and from them it
constructs a hidden “authenticity_token” param from it. It gets inserted
in
with the POST data so Rails will accept the request.
I would like to be able to serve identical HTML content for all users,
so
the page can be cached on Varnish or a CDN or whatever. Since the
form_authenticity_token is different for every session, leaving
csrf_meta_tags in the header makes it impossible for a proxy to cache
the
page.
I have an idea for how to fix it but thought I would ask here, to see if
people think there would be problems with it: I could create an
after_action in ApplicationController that looks like this:
after_action :set_authenticity_cookie
def set_authenticity_cookie
cookies[:form_authenticity_token] = form_authenticity_token
ifform_authenticity_token
end
So basically send the form_authenticity_token to the browser in a cookie
instead of putting it in the HTML.
Client-side, I could write a little JavaScript that pulls it out of the
cookie and dynamically creates the meta tags that jquery-rails is
expecting.
-
Questions: *
- Does this expose me to any security problems?
- Is there any reason this wouldn’t work?
Thanks,
Brian