For Rails 4.1: https://github.com/rails/rails/pull/13345
Since we don't know the response format until rendering, it's simplest to use an after_action to verify that we aren't serving JS to a non-XHR GET request. This piggybacks on the same `protect_from_forgery` declarations that apps already use, so they'll transparently get protection without changing anything. Apps that intentionally expose JavaScript responses (like third-party widgets, per-customer API embeds, etc) will need to exclude those actions using existing `protect_from_forgery` API. Thanks everyone for the (long) discussion and thanks to Egor for the initial report - months ago now! - and this reminder. On Sun, Dec 8, 2013 at 10:51 PM, David Heinemeier Hansson <[email protected]> wrote: > Jeremy Kemper is assigned to this. We will get this in shortly. > > On Dec 8, 2013, at 20:19, Egor Homakov <[email protected]> wrote: > > so if/when this will make it to master? > > On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote: >> >> https://github.com/rails/rails/issues/12374#issuecomment-29446761 >> >> Here in discussion I proposed to deprecate JS responder because this >> technique is insecure and not pragmatic way to transfer data. >> It can be exploited in this way >> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html >> >> i find this bug very often so i know what i'm talking about. With it >> attacker can steal user data and authenticity_token if templates with form >> were leaked too. >> >> >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ruby on Rails: Core" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > [email protected]. > > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
