If the security concern is only about CSRF, what about not rendering CSRF token in templates at all?
I mean, UJS may solve this problem appending the CRSF token from meta tag. If that’s not elegant since it will require javascript, even for static forms, we may do that only for .js.erb views. Basically, if a form is rendered through a js view, do not render the CSRF token. Homakov, that would fix the security concern without removing the .js.erb views? Cheers, Gabriel Sobrinho gabrielsobrinho.com On Dec 2, 2013, at 7:37 AM, Chris Mear <[email protected]> wrote: >> On 2 Dec 2013, at 09:32, Michael Pavling <[email protected]> wrote: > > >> On 2 December 2013 09:09, Alex <[email protected]> wrote: >> This attack is not possible with non js content loaded by XHR or iframes, as >> the browser enforces cross-domain restrictions for both, and evil site will >> not be able to get at good site's content. >> >> If the operators of EvilSite have gone to such lengths to contrive forms and >> overridden JS methods to potentially steal a tiny bit of possibly private >> HTML and data, could they not take the next small step and use a browser >> that *does not* enforce cross-domain restrictions on XHR? (or frankly, write >> their hacks with wget or curl) > > The idea is not that the evil site operators will access their own site > themselves, but that they will get legitimate users of your site to visit > their evil site (and thereby steal the legitimate users' private data). So, > for their ploy to be successful, it needs to work in standard browsers that > ordinary users will be using. > > Chris > >> > > > -- > You received this message because you are subscribed to a topic in the Google > Groups "Ruby on Rails: Core" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
