diff options
| author | Zachary Scott <e@zzak.io> | 2014-12-22 06:50:10 -0500 |
|---|---|---|
| committer | Zachary Scott <e@zzak.io> | 2014-12-22 06:50:10 -0500 |
| commit | bac74d66ecf2ed31e30aa9a5f8fbb87fc8cfcfee (patch) | |
| tree | 5fbfc8b1eb55d0f6b06da8b81887c5b39731775c /guides/source/security.md | |
| parent | a1ec6a5d1a202414947edaba66b7fb4d60a38b4e (diff) | |
| parent | f7d81c924fd498ae6fd1852070db0553a10b0c41 (diff) | |
| download | rails-bac74d66ecf2ed31e30aa9a5f8fbb87fc8cfcfee.tar.gz rails-bac74d66ecf2ed31e30aa9a5f8fbb87fc8cfcfee.tar.bz2 rails-bac74d66ecf2ed31e30aa9a5f8fbb87fc8cfcfee.zip | |
Merge pull request #18105 from andreynering/guides-csrf
Add note about Ajax and CSRF-Token [ci skip]
Diffstat (limited to 'guides/source/security.md')
| -rw-r--r-- | guides/source/security.md | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index b3869b1ba5..32890e0606 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -237,7 +237,7 @@ Or the attacker places the code into the onmouseover event handler of an image: <img src="http://www.harmless.com/img" width="400" height="400" onmouseover="..." /> ``` -There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow cross-site `<script>` tags. Only Ajax requests may have JavaScript responses since XmlHttpRequest is subject to the browser Same-Origin policy - meaning only your site can initiate the request. +There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow cross-site `<script>` tags. Only Ajax requests may have JavaScript responses since `XMLHttpRequest` is subject to the browser Same-Origin policy - meaning only your site can initiate the request. To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller, and is the default for newly created rails applications: @@ -247,6 +247,13 @@ protect_from_forgery with: :exception This will automatically include a security token in all forms and Ajax requests generated by Rails. If the security token doesn't match what was expected, an exception will be thrown. +NOTE: By default, Rails includes jQuery and a [unobtrusive scripting adapter for jQuery](https://github.com/rails/jquery-ujs), +which adds a header called `X-CSRF-Token` on every non-GET Ajax call made by jQuery with the security token. +Without this header, your non-GET requests won't be accepted by Rails. If you want to use another library +to make Ajax calls, you will have to find how add the security token as a default header for Ajax calls in +your library. To get the token have a look at the `<meta name='csrf-token' content='THE-TOKEN'>` tag printed +by `<%= csrf_meta_tags %>` in your application view. + It is common to use persistent cookies to store user information, with `cookies.permanent` for example. In this case, the cookies will not be cleared and the out of the box CSRF protection will not be effective. If you are using a different cookie store than the session for this information, you must handle what to do with it yourself: ```ruby |