diff options
| author | Jeremy Kemper <jeremy@bitsweat.net> | 2013-12-17 16:02:04 -0700 |
|---|---|---|
| committer | Jeremy Kemper <jeremy@bitsweat.net> | 2013-12-17 16:02:04 -0700 |
| commit | 4f4fdd643f9d19fbbeeec3ac77674f791c9beffa (patch) | |
| tree | 17b9c9ca81d7a5d531827db5f9e500ef8de63544 /actionpack/test/controller | |
| parent | d3fcaba6266d99ef9a5ad6d9154b1257e1300310 (diff) | |
| download | rails-4f4fdd643f9d19fbbeeec3ac77674f791c9beffa.tar.gz rails-4f4fdd643f9d19fbbeeec3ac77674f791c9beffa.tar.bz2 rails-4f4fdd643f9d19fbbeeec3ac77674f791c9beffa.zip | |
Clearly limit new CSRF protection to GET requests
Diffstat (limited to 'actionpack/test/controller')
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index f1ed545205..1f5fc06410 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -305,6 +305,16 @@ module RequestForgeryProtectionTests end end + # Allow non-GET requests since GET is all a remote <script> tag can muster. + def test_should_allow_non_get_js_without_xhr_header + assert_cross_origin_not_blocked { post :same_origin_js, custom_authenticity_token: @token } + assert_cross_origin_not_blocked { post :same_origin_js, format: 'js', custom_authenticity_token: @token } + assert_cross_origin_not_blocked do + @request.accept = 'text/javascript' + post :negotiate_same_origin, custom_authenticity_token: @token + end + end + def test_should_only_allow_cross_origin_js_get_without_xhr_header_if_protection_disabled assert_cross_origin_not_blocked { get :cross_origin_js } assert_cross_origin_not_blocked { get :cross_origin_js, format: 'js' } |