I think we should rather try to find a way to make this secure. What would be a sane default? Only respond to js format is the request is xhr? To be honest I read Egor's post but still not sure how this exploit would work. I will look at his examples when I got some free time and hopefully that will help to understand it more.
On Monday, December 2, 2013 3:52:53 PM UTC+1, Gabriel Sobrinho wrote: > > I see, extracting it as a gem fix the problem, at least for the rails > itself, which is what we want. > > The extracted gem must explicitly explain the security concerns on the top > of README, regardless of people usually don’t read it. > > > Rails already did that for other features, for other reasons but the same > idea applies, deprecate the usage on rails itself but allow who explicitly > wants/needs to use. > > Time to pull request? > > Cheers, > > Gabriel Sobrinho > gabrielsobrinho.com > > On Dec 2, 2013, at 12:19 PM, Egor Homakov <[email protected] <javascript:>> > wrote: > > Apparently many readers have no clue how this attack works, and people > keep asking the same questions. Thanks to people who clarified it in more > details than i did. > > All we can do is to add is-.xhr? protection or Warning (not necessarily > Deprecation). There are no other sane way to mitigate it. > > > > On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote: >> >> https://github.com/rails/rails/issues/12374#issuecomment-29446761 >> >> Here in discussion I proposed to deprecate JS responder because this >> technique is insecure and not pragmatic way to transfer data. >> It can be exploited in this way >> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html >> >> i find this bug very often so i know what i'm talking about. With it >> attacker can steal user data and authenticity_token if templates with form >> were leaked too. >> >> >> >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ruby on Rails: Core" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected] <javascript:>. > To post to this group, send email to [email protected]<javascript:> > . > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
