aboutsummaryrefslogtreecommitdiffstats
path: root/guides
diff options
context:
space:
mode:
authorZachary Scott <e@zzak.io>2014-12-22 06:50:10 -0500
committerZachary Scott <e@zzak.io>2014-12-22 06:50:10 -0500
commitbac74d66ecf2ed31e30aa9a5f8fbb87fc8cfcfee (patch)
tree5fbfc8b1eb55d0f6b06da8b81887c5b39731775c /guides
parenta1ec6a5d1a202414947edaba66b7fb4d60a38b4e (diff)
parentf7d81c924fd498ae6fd1852070db0553a10b0c41 (diff)
downloadrails-bac74d66ecf2ed31e30aa9a5f8fbb87fc8cfcfee.tar.gz
rails-bac74d66ecf2ed31e30aa9a5f8fbb87fc8cfcfee.tar.bz2
rails-bac74d66ecf2ed31e30aa9a5f8fbb87fc8cfcfee.zip
Merge pull request #18105 from andreynering/guides-csrf
Add note about Ajax and CSRF-Token [ci skip]
Diffstat (limited to 'guides')
-rw-r--r--guides/source/security.md9
1 files changed, 8 insertions, 1 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index b3869b1ba5..32890e0606 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -237,7 +237,7 @@ Or the attacker places the code into the onmouseover event handler of an image:
<img src="http://www.harmless.com/img" width="400" height="400" onmouseover="..." />
```
-There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow cross-site `<script>` tags. Only Ajax requests may have JavaScript responses since XmlHttpRequest is subject to the browser Same-Origin policy - meaning only your site can initiate the request.
+There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow cross-site `<script>` tags. Only Ajax requests may have JavaScript responses since `XMLHttpRequest` is subject to the browser Same-Origin policy - meaning only your site can initiate the request.
To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller, and is the default for newly created rails applications:
@@ -247,6 +247,13 @@ protect_from_forgery with: :exception
This will automatically include a security token in all forms and Ajax requests generated by Rails. If the security token doesn't match what was expected, an exception will be thrown.
+NOTE: By default, Rails includes jQuery and a [unobtrusive scripting adapter for jQuery](https://github.com/rails/jquery-ujs),
+which adds a header called `X-CSRF-Token` on every non-GET Ajax call made by jQuery with the security token.
+Without this header, your non-GET requests won't be accepted by Rails. If you want to use another library
+to make Ajax calls, you will have to find how add the security token as a default header for Ajax calls in
+your library. To get the token have a look at the `<meta name='csrf-token' content='THE-TOKEN'>` tag printed
+by `<%= csrf_meta_tags %>` in your application view.
+
It is common to use persistent cookies to store user information, with `cookies.permanent` for example. In this case, the cookies will not be cleared and the out of the box CSRF protection will not be effective. If you are using a different cookie store than the session for this information, you must handle what to do with it yourself:
```ruby