aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/test/controller/request_forgery_protection_test.rb
diff options
context:
space:
mode:
authorJeremy Kemper <jeremy@bitsweat.net>2013-12-17 16:02:04 -0700
committerJeremy Kemper <jeremy@bitsweat.net>2013-12-17 16:02:04 -0700
commit4f4fdd643f9d19fbbeeec3ac77674f791c9beffa (patch)
tree17b9c9ca81d7a5d531827db5f9e500ef8de63544 /actionpack/test/controller/request_forgery_protection_test.rb
parentd3fcaba6266d99ef9a5ad6d9154b1257e1300310 (diff)
downloadrails-4f4fdd643f9d19fbbeeec3ac77674f791c9beffa.tar.gz
rails-4f4fdd643f9d19fbbeeec3ac77674f791c9beffa.tar.bz2
rails-4f4fdd643f9d19fbbeeec3ac77674f791c9beffa.zip
Clearly limit new CSRF protection to GET requests
Diffstat (limited to 'actionpack/test/controller/request_forgery_protection_test.rb')
-rw-r--r--actionpack/test/controller/request_forgery_protection_test.rb10
1 files changed, 10 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb
index f1ed545205..1f5fc06410 100644
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@@ -305,6 +305,16 @@ module RequestForgeryProtectionTests
end
end
+ # Allow non-GET requests since GET is all a remote <script> tag can muster.
+ def test_should_allow_non_get_js_without_xhr_header
+ assert_cross_origin_not_blocked { post :same_origin_js, custom_authenticity_token: @token }
+ assert_cross_origin_not_blocked { post :same_origin_js, format: 'js', custom_authenticity_token: @token }
+ assert_cross_origin_not_blocked do
+ @request.accept = 'text/javascript'
+ post :negotiate_same_origin, custom_authenticity_token: @token
+ end
+ end
+
def test_should_only_allow_cross_origin_js_get_without_xhr_header_if_protection_disabled
assert_cross_origin_not_blocked { get :cross_origin_js }
assert_cross_origin_not_blocked { get :cross_origin_js, format: 'js' }
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-10 07:01:12 +0000