Would a solution be to prevent rails apps from serving "non static" JS from GET requests. Assets served from the asset pipeline would be allowed. JS returned via controllers/views would need explicitly defined permission to be served via a GET request.
On Sun, Dec 1, 2013 at 11:28 PM, Greg Molnar <[email protected]> wrote: > Rails should move on, to API-like servers and single page apps, not >> necessarily breaking old school tools, but such a dinosaur should be >> considered as a bad & insecure practise. Why patch it then at all? > > Single page apps are not everyone's cup of tea. Maybe I am old school but > I like to keep on the server side everything I can because I have more > control there. > > On Sunday, December 1, 2013 5:27:21 AM UTC+1, Egor Homakov wrote: >> >> This might work out, but damnit, isn't everyone agreed here that >> "returning JS" is 2008 style? >> >> Rails should move on, to API-like servers and single page apps, not >> necessarily breaking old school tools, but such a dinosaur should be >> considered as a bad & insecure practise. Why patch it then at all? >> >> >> On Sunday, December 1, 2013 2:19:09 AM UTC+7, Brian D. Armstrong wrote: >>> >>> What about prefixing while(1) on the beginning of js responses with rack >>> middleware, and then stripping them out client side? >>> >>> http://stackoverflow.com/questions/2669690/why-does- >>> google-prepend-while1-to-their-json-responses >>> >>> This is the solution used by Facebook and Google. >>> >>> http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/ >>> >>> -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
