diff options
author | Yauheni Dakuka <yauheni.dakuka@gmail.com> | 2018-03-12 14:39:24 +0300 |
---|---|---|
committer | Yauheni Dakuka <yauheni.dakuka@gmail.com> | 2018-03-12 15:36:26 +0300 |
commit | f1b14944841ab4890dacb755dcae627dae101d67 (patch) | |
tree | e85361a90054ebe591ac6968243b338a7844aa70 /guides/source/security.md | |
parent | aacda9c6901bef01ffac6a11b073305676b3062f (diff) | |
download | rails-f1b14944841ab4890dacb755dcae627dae101d67.tar.gz rails-f1b14944841ab4890dacb755dcae627dae101d67.tar.bz2 rails-f1b14944841ab4890dacb755dcae627dae101d67.zip |
Fix note marks [ci skip]
Diffstat (limited to 'guides/source/security.md')
-rw-r--r-- | guides/source/security.md | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 28ddbdc26a..4cf6c06f2d 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -325,7 +325,7 @@ Or the attacker places the code into the onmouseover event handler of an image: There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we must disallow cross-site `<script>` tags. Ajax requests, however, obey the browser's same-origin policy (only your own site is allowed to initiate `XmlHttpRequest`) so we can safely allow them to return JavaScript responses. -Note: We can't distinguish a `<script>` tag's origin—whether it's a tag on your own site or on some other malicious site—so we must block all `<script>` across the board, even if it's actually a safe same-origin script served from your own site. In these cases, explicitly skip CSRF protection on actions that serve JavaScript meant for a `<script>` tag. +NOTE: We can't distinguish a `<script>` tag's origin—whether it's a tag on your own site or on some other malicious site—so we must block all `<script>` across the board, even if it's actually a safe same-origin script served from your own site. In these cases, explicitly skip CSRF protection on actions that serve JavaScript meant for a `<script>` tag. To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller, and is the default for newly created Rails applications: |