Rails request forgery protection settings -

-

please newbie in rails :) have protect_from_forgery call (which given default) no attributes in applicationcontroller class.

basically here's code:

class applicationcontroller < actioncontroller::base   helper :all # include helpers, time   protect_from_forgery   helper_method :current_user_session, :current_user   filter_parameter_logging :password, :password_confirmation

what assume should is: should prevent post requests without correct authenticity_token. when send post request jquery 1 below, works fine (there's update statement executed in database)!

$.post($(this).attr("href"), { _method: "put", data: { test: true } });

i see in console there's no authenticity_token among sent parameters, request still considered valid. why that?

upd found config setting in config/environments/development.rb

config.action_controller.consider_all_requests_local = true

because of dev environment , local requests, these jquery post requests ok.

there nothing wrong code long request $.post($(this).attr("href"), { _method: "put", data: { test: true } }); executed within app itself. if had app running elsewhere, example on localhost:3001, , sent post there won't work. infact if on firefox > 3.0 has implementation of cross site xhr too. example can send post other site (but works provided protect_from_forgery turned off!). reason why auth token not necessary xhr cross site xhr disabled. safe use xhr without providing auth token. if try else other app, sure raise exception asking auth token. should have crossdomain.xml defined prevent access outside sources.

try doing this: curl -x -d url_endpoint_of_your_app. see if 200 response code. if there fishy.


Comments

Post a Comment

Popular posts from this blog

javascript - Enclosure Memory Copies -

-
function myclass() { //lots , lots of vars , code here. this.bar = function() { //do numerous enclosed myclass vars } this.foo = function() { alert('hello'); //don't enclosed variables. } } each instance of myclass gets own copy of bar , foo, why prototyped methods use less memory. however, know more memory use of inner methods. it seems obvious me (1) below must true. agree? not distinct myclass instances have own distinct copies of bar, must have own distinct copies of myclass enclosure. (or else how bar method keep myclass variables straight on per instance basis?) now (2) question i'm after. since inner foo method doesn't use in myclass enclosure natural qustion is: javascript smart enough not keep myclass enclosure in memory use of foo? this depend entirely on implementation not language. naive implementations keep far more around others. answer true e.g. v8 (chrome's js engine) may not true spider...
Read more

php - Replacing tags in braces, even nested tags, with regex -

-
example preg_replace('/\{[a-za-z.,\(\)0-9]+\}/', 'replaced', 'lorem ipsum dolor sit {tag1({tag2()})}, consectetur adipiscing elit.'); the result: lorem ipsum dolor sit {tag1(replaced)}, consectetur adipiscing elit. question as can see "tag2" has been replaced, want replace "tag1" know how can this? (in cases might this: {tag1({tag2({tag3()})})}) , on.) btw using preg_replace_callback, easier show preg_replace here site can test code: http://www.spaweditor.com/scripts/regex/index.php you need add curly braces character set. here's pattern used: /\{[a-za-z.,\(\)\{\}0-9]+\}/ and here result: "lorem ipsum dolor sit replaced, consectetur adipiscing elit."
Read more