That's still OK if it's public data. (Obviously anything with a CSRF token in it isn't.)
It'd be nice if it was more explicit though, as the vulnerable cases are not obvious. On 2/12/2013, at 13:59 , Anthony Richardson <[email protected]> wrote: > Would a solution be to prevent rails apps from serving "non static" JS from > GET requests. Assets served from the asset pipeline would be allowed. JS > returned via controllers/views would need explicitly defined permission to be > served via a GET request. > > > On Sun, Dec 1, 2013 at 11:28 PM, Greg Molnar <[email protected]> wrote: > Rails should move on, to API-like servers and single page apps, not > necessarily breaking old school tools, but such a dinosaur should be > considered as a bad & insecure practise. Why patch it then at all? > Single page apps are not everyone's cup of tea. Maybe I am old school but I > like to keep on the server side everything I can because I have more control > there. > > On Sunday, December 1, 2013 5:27:21 AM UTC+1, Egor Homakov wrote: > This might work out, but damnit, isn't everyone agreed here that "returning > JS" is 2008 style? > > Rails should move on, to API-like servers and single page apps, not > necessarily breaking old school tools, but such a dinosaur should be > considered as a bad & insecure practise. Why patch it then at all? > > > On Sunday, December 1, 2013 2:19:09 AM UTC+7, Brian D. Armstrong wrote: > What about prefixing while(1) on the beginning of js responses with rack > middleware, and then stripping them out client side? > http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses > > This is the solution used by Facebook and Google. > > http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/ > > > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
