aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
Commit message (Collapse)AuthorAgeFilesLines
* Another place to use a request object in NullSessionHash Ronak Jangir2015-08-231-3/+3
| | | | May be missed in 5fe141638f1243ac6ae187ae14aa398b4c1875a2 commit Also fixes the broken build
* add a setter for the cookie jarAaron Patterson2015-08-061-1/+1
|
* remove `@host` ivarAaron Patterson2015-08-051-7/+1
|
* remove @secure ivarAaron Patterson2015-08-051-2/+1
|
* CookieJar does not need the key_generator parameter anymoreAaron Patterson2015-08-051-2/+1
|
* stop using an options hash with the cookie jarAaron Patterson2015-08-051-1/+1
| | | | | | | | The cookie jar can just ask the request object for the information it needs. This allows us to stop allocating hashes for options, and also allows us to delay calculating values in advance. Generating the options hash forced us to calculate values that we may never have needed at runtime
* move env access to the request object.Aaron Patterson2015-08-051-2/+2
| | | | | | Accessing a request object has nice advantages over accessing a hash. If you use a missing method name, you'll get an exception rather than a `nil` (is one nice feature)
* [ci skip] it should be protect_from_forgeryAditya Kapoor2015-07-271-1/+1
|
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2015-06-051-1/+1
|\
| * [ci skip] Upcase `is`yui-knk2015-05-251-1/+1
| |
* | Spelling/typo/grammatical fixes [ci skip]karanarora2015-05-231-1/+1
|/ | | | | | | | | | spelling fix [ci skip] example to be consistent [ci skip] grammatical fix typo fixes [ci skip]
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2015-05-081-1/+1
|\
| * Add missing "of" to RequestForgeryProtection doc.Hendy Tanata2015-04-271-1/+1
| | | | | | | | [ci skip]
* | Updated request_forgery_protection docs [ci skip]Prathamesh Sonpatki2015-04-281-5/+6
|/ | | | | | - Changed Javascript to JavaScript. - Added full-stop which was missing, also wrapped the sentence to 80 chars. - Changed proc to Proc and oauth to OAuth.
* Add note regarding CSRF for APIs, as a use-case for skipping it [ci skip]Zachary Scott2015-04-121-0/+4
|
* Apply comments from @jeremy regarding why HTML and Javascript requestsZachary Scott2015-04-121-0/+5
| | | | | | specifically are checked for CSRF, when dealing with the browser. [ci skip]
* update request_forgery_protection docs [ci skip]Vladimir Lyzo2015-04-121-7/+8
|
* Try only to decode stringsRafael Mendonça França2015-02-181-2/+4
| | | | | This approach will avoid us to check for NoMethodError when trying to decode
* Handle non-string authenticity tokensVille Lautanala2015-02-121-1/+1
| | | | Non-string authenticity tokens raised NoMethodError when decoding the masked token.
* Add prepend option to protect_from_forgery.Josef Šimánek2015-01-081-1/+8
|
* Improve protect_from_forgery documentation. [ci skip].Josef Šimánek2015-01-061-3/+3
|
* Document all options for protect_from_forgery.Josef Šimánek2015-01-041-8/+2
| | | | [ci skip]
* Merge pull request #18102 from arthurnn/nodoc_constantArthur Nogueira Neves2014-12-191-0/+1
| | | | Add nodoc to some constants [skip ci]
* Use AS secure_compare for CSRF token comparisonGuillermo Iguaran2014-10-231-2/+2
|
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-3/+65
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-3/+65
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Uppercase HTML in docs.Hendy Tanata2014-08-081-2/+2
|/ | | | [skip ci]
* Fix protect_from_forgery docsDavid Albert2014-07-271-1/+1
|
* Moved 'params[request_forgery_protection_token]' into its own method and ↵Tom Kadwill2014-05-061-1/+1
| | | | improved tests.
* Make CSRF failure logging optional/configurable.John Barton (joho)2014-03-051-1/+7
| | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default.
* Clearly limit new CSRF protection to GET requestsJeremy Kemper2013-12-171-2/+7
|
* CSRF protection from cross-origin <script> tagsJeremy Kemper2013-12-171-13/+61
| | | | Thanks to @homakov for sounding the alarm about JSONP-style data leaking
* NullSessionHash#destroy should be a no-opJonathan Baudanza2013-09-181-0/+3
| | | | Previously it was raising a NilException
* [ci skip] document protect_against_forgery? methodWeston Platter2013-05-101-0/+1
|
* This cache is not neededSantiago Pastorino2013-02-211-2/+1
|
* Use composition to figure out the forgery protection strategySantiago Pastorino2013-02-211-9/+27
|
* Fix #9168 Initialize NullCookieJar with all options needed for KeyGeneratorAndrey Chernih2013-02-081-1/+1
|
* Merge pull request #9032 from firmhouse/head-breaks-csrfSantiago Pastorino2013-01-281-2/+2
|\ | | | | Make HEAD work / convert to GET once more
| * Added request.head? to forgery protection codeMichiel Sikkes2013-01-221-2/+2
| |
* | Integrate Action Pack with Rack 1.5Carlos Antonio da Silva2013-01-251-3/+4
|/ | | | | | All ActionPack and Railties tests are passing. Closes #8891. [Carlos Antonio da Silva + Santiago Pastorino]
* use `_action` instead of `_filter` callbacksFrancesco Rodriguez2012-12-071-6/+6
|
* Sign cookies using key deriverSantiago Pastorino2012-11-031-4/+4
|
* Multiple changes to 1,9 hash syntaxAvnerCohen2012-10-271-3/+3
|
* Build fix for ActionMailerArun Agrawal2012-09-141-0/+1
| | | | | | See http://travis-ci.org/#!/rails/rails/jobs/2444632
* Implement :null_session CSRF protection methodSergey Nartimov2012-09-131-22/+70
| | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does).
* load active_support/core_ext/class/attribute in active_support/railsXavier Noria2012-08-021-1/+0
|
* copy editing [ci skip]Vijay Dev2012-06-141-4/+7
|
* on CSRF whitelisting the argument for :if must be a symbolDaniel Lopes2012-06-071-1/+1
|
* fix typos on the CSRF whitelisting docDaniel Lopes2012-06-071-3/+3
|
* Document the CSRF whitelisting on get requestsDaniel Lopes2012-06-071-5/+16
|
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-14 23:41:20 +0000