diff options
| author | Eileen M. Uchitelle <eileencodes@gmail.com> | 2015-09-16 07:56:32 -0400 |
|---|---|---|
| committer | Eileen M. Uchitelle <eileencodes@gmail.com> | 2015-09-16 07:56:32 -0400 |
| commit | 3edc7f7a1ce39a63828ecb7488dcedc188aa23f9 (patch) | |
| tree | e221131d992a55b8443390d08d248c5bc57dc966 | |
| parent | 93181210234411b9a918cca481422eabebe5400e (diff) | |
| parent | 570cd2481653be3d5bc8962b4b95360c6569041b (diff) | |
| download | rails-3edc7f7a1ce39a63828ecb7488dcedc188aa23f9.tar.gz rails-3edc7f7a1ce39a63828ecb7488dcedc188aa23f9.tar.bz2 rails-3edc7f7a1ce39a63828ecb7488dcedc188aa23f9.zip | |
Merge pull request #21618 from designgrill/master
Improved explanation of the <script> tag CSRF behavior
| -rw-r--r-- | guides/source/security.md | 2 | ||||
| -rw-r--r-- | guides/source/upgrading_ruby_on_rails.md | 6 |
2 files changed, 3 insertions, 5 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 93c270064a..772a0b474c 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -245,7 +245,7 @@ Or the attacker places the code into the onmouseover event handler of an image: <img src="http://www.harmless.com/img" width="400" height="400" onmouseover="..." /> ``` -There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow cross-site `<script>` tags. Only Ajax requests may have JavaScript responses since `XMLHttpRequest` is subject to the browser Same-Origin policy - meaning only your site can initiate the request. +There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow dynamic JS responses for anything other than ajax requests irrespective of the origin. Only Ajax requests may have JavaScript responses since `XmlHttpRequest` is subject to the browser Same-Origin policy - meaning only your site can initiate ajax requests. To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller, and is the default for newly created rails applications: diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md index 30c0fcb294..2de9d6045e 100644 --- a/guides/source/upgrading_ruby_on_rails.md +++ b/guides/source/upgrading_ruby_on_rails.md @@ -316,11 +316,9 @@ Upgrading from Rails 4.0 to Rails 4.1 Or, "whaaat my tests are failing!!!?" -Cross-site request forgery (CSRF) protection now covers GET requests with -JavaScript responses, too. This prevents a third-party site from referencing -your JavaScript URL and attempting to run it to extract sensitive data. +Cross-site request forgery (CSRF) protection now covers GET requests with dynamic JavaScript responses, too. By default, all javascript responses generated by an action will be blocked for non xhr requests. This will block usage of such urls in any `<script>` tag including your own. That way, in a possible attack scenario, it prevents a third-party site from referencing your JavaScript URL and attempting to run it to extract sensitive data. -This means that your functional and integration tests that use +It also means that your functional and integration tests that use ```ruby get :index, format: :js |