On one hand if you explain/reach people with security concern of JS templates they will most likely rewrite it to JSON-style. On the other hand if they blindly update their rails/don't read news - the only way to reach them is Deprecation warning. Or maybe just WARNING?
What I actually want is to make people understand and check if they have this problem. Deprecation is on of the means to do it. On Monday, December 2, 2013 8:40:52 AM UTC+7, will.bryant wrote: > > That's still OK if it's public data. (Obviously anything with a CSRF > token in it isn't.) > > It'd be nice if it was more explicit though, as the vulnerable cases are > not obvious. > > > On 2/12/2013, at 13:59 , Anthony Richardson <[email protected]<javascript:>> > wrote: > > Would a solution be to prevent rails apps from serving "non static" JS > from GET requests. Assets served from the asset pipeline would be allowed. > JS returned via controllers/views would need explicitly defined permission > to be served via a GET request. > > > On Sun, Dec 1, 2013 at 11:28 PM, Greg Molnar <[email protected]<javascript:> > > wrote: > >> Rails should move on, to API-like servers and single page apps, not >>> necessarily breaking old school tools, but such a dinosaur should be >>> considered as a bad & insecure practise. Why patch it then at all? >> >> Single page apps are not everyone's cup of tea. Maybe I am old school but >> I like to keep on the server side everything I can because I have more >> control there. >> >> On Sunday, December 1, 2013 5:27:21 AM UTC+1, Egor Homakov wrote: >>> >>> This might work out, but damnit, isn't everyone agreed here that >>> "returning JS" is 2008 style? >>> >>> Rails should move on, to API-like servers and single page apps, not >>> necessarily breaking old school tools, but such a dinosaur should be >>> considered as a bad & insecure practise. Why patch it then at all? >>> >>> >>> On Sunday, December 1, 2013 2:19:09 AM UTC+7, Brian D. Armstrong wrote: >>>> >>>> What about prefixing while(1) on the beginning of js responses with >>>> rack middleware, and then stripping them out client side? >>>> >>>> http://stackoverflow.com/questions/2669690/why-does- >>>> google-prepend-while1-to-their-json-responses >>>> >>>> This is the solution used by Facebook and Google. >>>> >>>> http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/ >>>> >>>> >>>> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected] <javascript:>. >> To post to this group, send email to >> [email protected]<javascript:> >> . >> Visit this group at http://groups.google.com/group/rubyonrails-core. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <javascript:>. > To post to this group, send email to [email protected]<javascript:> > . > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
