I'm afraid the CSRF token is not the only private data that could be
sent in the template.
I'm actually surprised so many applications seem to use RJS, including
some applications I do use, like Redmine or GitLab.
Maybe I should create the habit of using an anonymous session for
regular browsing to avoid getting my private data stolen from
applications using RJS in Rails... :(
I really think RJS should be moved to a gem and not included by default
in Rails and stop promoting its usage...
Rodrigo.
Em 02-12-2013 11:27, Gabriel Sobrinho escreveu:
If the security concern is only about CSRF, what about not rendering
CSRF token in templates at all?
I mean, UJS may solve this problem appending the CRSF token from meta tag.
If that’s not elegant since it will require javascript, even for
static forms, we may do that only for .js.erb views.
Basically, if a form is rendered through a js view, do not render the
CSRF token.
Homakov, that would fix the security concern without removing the
.js.erb views?
Cheers,
Gabriel Sobrinho
gabrielsobrinho.com <http://gabrielsobrinho.com>
On Dec 2, 2013, at 7:37 AM, Chris Mear <[email protected]
<mailto:[email protected]>> wrote:
On 2 Dec 2013, at 09:32, Michael Pavling <[email protected]
<mailto:[email protected]>> wrote:
On 2 December 2013 09:09, Alex <[email protected]
<mailto:[email protected]>> wrote:
This attack is not possible with non js content loaded by XHR or
iframes, as the browser enforces cross-domain restrictions for
both, and evil site will not be able to get at good site's content.
If the operators of EvilSite have gone to such lengths to contrive
forms and overridden JS methods to potentially steal a tiny bit of
possibly private HTML and data, could they not take the next small
step and use a browser that *does not* enforce cross-domain
restrictions on XHR? (or frankly, write their hacks with wget or curl)
The idea is not that the evil site operators will access their own
site themselves, but that they will get legitimate users of your site
to visit their evil site (and thereby steal the legitimate users'
private data). So, for their ploy to be successful, it needs to work
in standard browsers that ordinary users will be using.
Chris
--
You received this message because you are subscribed to a topic in
the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
[email protected]
<mailto:[email protected]>.
To post to this group, send email to
[email protected]
<mailto:[email protected]>.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google
Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.
--
You received this message because you are subscribed to the Google Groups "Ruby on
Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.
