Xavier, absolutely. Javan has suggested we have something like protect_from_forgery, which can be opt-out of on a per action/controller basis.
On Dec 2, 2013, at 10:12 AM, Xavier Noria <[email protected]> wrote: > In this thread it has been repeated several times that .js endpoints via GET > are a security breach. And that people should stick to JSON. > > Let me make clear for the archives that is not generally the case. There are > valid use cases for dynamically generated public JavaScript, for example when > your application exposes a widget 3rd party clients request to have their DOM > modified with content. Think Disqus. I have implemented centralized rating > systems for hotel providers that work that way. > > The potential problem happens when your JavaScript GET endpoint exposes > sensitive/private data. > > Now, since the former is a rare use-case compared to the latter, the XHR > protection should probably be enabled by default, but you need still to be > able to opt-out. > > > > -- > You received this message because you are subscribed to a topic in the Google > Groups "Ruby on Rails: Core" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
