I am trying to imagine "dynamically generated public JavaScript" but nothing comes to my mind. Any small bit of information, even the fact that user is logged in, or blocked, is somewhat sensitive IMO. Opt-out is must-have indeed. E.g. in development env it might be convenient to reach .json endpoints directly.
On Tuesday, December 3, 2013 1:12:14 AM UTC+7, Xavier Noria wrote: > > In this thread it has been repeated several times that .js endpoints via > GET are a security breach. And that people should stick to JSON. > > Let me make clear for the archives that is not generally the case. There > are valid use cases for dynamically generated public JavaScript, for > example when your application exposes a widget 3rd party clients request to > have their DOM modified with content. Think Disqus. I have implemented > centralized rating systems for hotel providers that work that way. > > The potential problem happens when your JavaScript GET endpoint exposes > sensitive/private data. > > Now, since the former is a rare use-case compared to the latter, the XHR > protection should probably be enabled by default, but you need still to be > able to opt-out. > > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
