Reflect how CSRF protection now works and refer to the Security Guide for more information

author: Joost Baaij <joost@spacebabies.nl> 2010-08-26 23:03:30 +0200
committer: Joost Baaij <joost@spacebabies.nl> 2010-08-26 23:03:30 +0200
commit: c28d46a92d1ed91fe929871f5e0e4adcda46c2a7 (patch)
tree: 6eb6714811a0b9758a91ec1ae34c9ab7e6dc3eb1
parent: ca36326706edc6cc2ceffa18d093ba799cc65caf (diff)
download: rails-c28d46a92d1ed91fe929871f5e0e4adcda46c2a7.tar.gz
rails-c28d46a92d1ed91fe929871f5e0e4adcda46c2a7.tar.bz2
rails-c28d46a92d1ed91fe929871f5e0e4adcda46c2a7.zip
1 files changed, 18 insertions, 36 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index b632e7aab6..fc3118671f 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -4,45 +4,27 @@ module ActionController #:nodoc:
   class InvalidAuthenticityToken < ActionControllerError #:nodoc:
   end
 
-  # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
-  # web application, not a forged link from another site, is done by embedding a token based on a random
-  # string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
-  # by Rails and then verifying the authenticity of that token in the controller.  Only HTML/JavaScript
-  # requests are checked, so this will not protect your XML API (presumably you'll have a different
-  # authentication scheme there anyway).  Also, GET requests are not protected as these should be
-  # idempotent anyway.
+  # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
+  # by including a token in the rendered html for your application. This token is
+  # stored as a random string in the session, to which an attacker does not have
+  # access. When a request reaches your application, \Rails then verifies the received
+  # token with the token in the session. Only HTML and javascript requests are checked,
+  # so this will not protect your XML API (presumably you'll have a different
+  # authentication scheme there anyway). Also, GET requests are not protected as these
+  # should be idempotent.
   #
-  # This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
-  # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
-  # error message in production by editing public/422.html.  A call to this method in ApplicationController is
-  # generated by default in post-Rails 2.0 applications.
+  # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method,
+  # which will check the token and raise an ActionController::InvalidAuthenticityToken
+  # if it doesn't match what was expected. A call to this method is generated for new
+  # \Rails applications by default. You can customize the error message by editing
+  # public/422.html. 
   #
-  # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
-  # manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
-  # include a hidden field named like that and set its value to what is returned by
-  # <tt>form_authenticity_token</tt>.
-  #
-  # Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
-  # 1.x, add this to config/environments/test.rb:
-  #
-  #   # Disable request forgery protection in test environment
-  #   config.action_controller.allow_forgery_protection = false
-  #
-  # == Learn more about CSRF (Cross-Site Request Forgery) attacks
-  #
-  # Here are some resources:
-  # * http://isc.sans.org/diary.html?storyid=1750
-  # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
-  #
-  # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
-  # There are a few guidelines you should follow:
-  #
-  # * Keep your GET requests safe and idempotent.  More reading material:
-  #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
-  #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
-  #   * Make sure the session cookies that Rails creates are non-persistent.  Check in Firefox and look
-  #     for "Expires: at end of session"
+  # The token parameter is named <tt>authenticity_token</tt> by default. The name and
+  # value of this token must be added to every layout that renders forms by including
+  # <tt>csrf_meta_tag</tt> in the html +head+.
   #
+  # Learn more about CSRF attacks and securing your application in the
+  # {Ruby on Rails Security Guide}[http://guides.rubyonrails.org/security.html].
   module RequestForgeryProtection
     extend ActiveSupport::Concern
author	Joost Baaij <joost@spacebabies.nl>	2010-08-26 23:03:30 +0200
committer	Joost Baaij <joost@spacebabies.nl>	2010-08-26 23:03:30 +0200
commit	c28d46a92d1ed91fe929871f5e0e4adcda46c2a7 (patch)
tree	6eb6714811a0b9758a91ec1ae34c9ab7e6dc3eb1
parent	ca36326706edc6cc2ceffa18d093ba799cc65caf (diff)
download	rails-c28d46a92d1ed91fe929871f5e0e4adcda46c2a7.tar.gz rails-c28d46a92d1ed91fe929871f5e0e4adcda46c2a7.tar.bz2 rails-c28d46a92d1ed91fe929871f5e0e4adcda46c2a7.zip