aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
Commit message (Collapse)AuthorAgeFilesLines
* Spelling/typo/grammatical fixes [ci skip]karanarora2015-05-231-1/+1
| | | | | | | | | | spelling fix [ci skip] example to be consistent [ci skip] grammatical fix typo fixes [ci skip]
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2015-05-081-1/+1
|\
| * Add missing "of" to RequestForgeryProtection doc.Hendy Tanata2015-04-271-1/+1
| | | | | | | | [ci skip]
* | Updated request_forgery_protection docs [ci skip]Prathamesh Sonpatki2015-04-281-5/+6
|/ | | | | | - Changed Javascript to JavaScript. - Added full-stop which was missing, also wrapped the sentence to 80 chars. - Changed proc to Proc and oauth to OAuth.
* Add note regarding CSRF for APIs, as a use-case for skipping it [ci skip]Zachary Scott2015-04-121-0/+4
|
* Apply comments from @jeremy regarding why HTML and Javascript requestsZachary Scott2015-04-121-0/+5
| | | | | | specifically are checked for CSRF, when dealing with the browser. [ci skip]
* update request_forgery_protection docs [ci skip]Vladimir Lyzo2015-04-121-7/+8
|
* Try only to decode stringsRafael Mendonça França2015-02-181-2/+4
| | | | | This approach will avoid us to check for NoMethodError when trying to decode
* Handle non-string authenticity tokensVille Lautanala2015-02-121-1/+1
| | | | Non-string authenticity tokens raised NoMethodError when decoding the masked token.
* Add prepend option to protect_from_forgery.Josef Šimánek2015-01-081-1/+8
|
* Improve protect_from_forgery documentation. [ci skip].Josef Šimánek2015-01-061-3/+3
|
* Document all options for protect_from_forgery.Josef Šimánek2015-01-041-8/+2
| | | | [ci skip]
* Merge pull request #18102 from arthurnn/nodoc_constantArthur Nogueira Neves2014-12-191-0/+1
| | | | Add nodoc to some constants [skip ci]
* Use AS secure_compare for CSRF token comparisonGuillermo Iguaran2014-10-231-2/+2
|
* Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-tokenJeremy Kemper2014-08-191-3/+65
|\ | | | | CSRF token mask from breach-mitigation-rails gem
| * Auth token mask from breach-mitigation-rails gemBradley Buda2014-08-191-3/+65
| | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks.
* | Uppercase HTML in docs.Hendy Tanata2014-08-081-2/+2
|/ | | | [skip ci]
* Fix protect_from_forgery docsDavid Albert2014-07-271-1/+1
|
* Moved 'params[request_forgery_protection_token]' into its own method and ↵Tom Kadwill2014-05-061-1/+1
| | | | improved tests.
* Make CSRF failure logging optional/configurable.John Barton (joho)2014-03-051-1/+7
| | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default.
* Clearly limit new CSRF protection to GET requestsJeremy Kemper2013-12-171-2/+7
|
* CSRF protection from cross-origin <script> tagsJeremy Kemper2013-12-171-13/+61
| | | | Thanks to @homakov for sounding the alarm about JSONP-style data leaking
* NullSessionHash#destroy should be a no-opJonathan Baudanza2013-09-181-0/+3
| | | | Previously it was raising a NilException
* [ci skip] document protect_against_forgery? methodWeston Platter2013-05-101-0/+1
|
* This cache is not neededSantiago Pastorino2013-02-211-2/+1
|
* Use composition to figure out the forgery protection strategySantiago Pastorino2013-02-211-9/+27
|
* Fix #9168 Initialize NullCookieJar with all options needed for KeyGeneratorAndrey Chernih2013-02-081-1/+1
|
* Merge pull request #9032 from firmhouse/head-breaks-csrfSantiago Pastorino2013-01-281-2/+2
|\ | | | | Make HEAD work / convert to GET once more
| * Added request.head? to forgery protection codeMichiel Sikkes2013-01-221-2/+2
| |
* | Integrate Action Pack with Rack 1.5Carlos Antonio da Silva2013-01-251-3/+4
|/ | | | | | All ActionPack and Railties tests are passing. Closes #8891. [Carlos Antonio da Silva + Santiago Pastorino]
* use `_action` instead of `_filter` callbacksFrancesco Rodriguez2012-12-071-6/+6
|
* Sign cookies using key deriverSantiago Pastorino2012-11-031-4/+4
|
* Multiple changes to 1,9 hash syntaxAvnerCohen2012-10-271-3/+3
|
* Build fix for ActionMailerArun Agrawal2012-09-141-0/+1
| | | | | | See http://travis-ci.org/#!/rails/rails/jobs/2444632
* Implement :null_session CSRF protection methodSergey Nartimov2012-09-131-22/+70
| | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does).
* load active_support/core_ext/class/attribute in active_support/railsXavier Noria2012-08-021-1/+0
|
* copy editing [ci skip]Vijay Dev2012-06-141-4/+7
|
* on CSRF whitelisting the argument for :if must be a symbolDaniel Lopes2012-06-071-1/+1
|
* fix typos on the CSRF whitelisting docDaniel Lopes2012-06-071-3/+3
|
* Document the CSRF whitelisting on get requestsDaniel Lopes2012-06-071-5/+16
|
* Removing ==Examples and last blank lines of docs from actionpackFrancesco Rodriguez2012-05-151-2/+0
|
* CSRF messages are no longer controlled by 422.html because ↵Tony Primerano2012-03-281-1/+0
| | | | InvalidAuthenticityToken is not raised
* configure how unverified request will be handledSergey Nartimov2012-03-091-2/+18
| | | | | | | | | | | | | can be configured using `:with` option in `protect_from_forgery` method or `request_forgery_protection_method` config option possible values: - :reset_session (default) - :exception new applications are generated with: protect_from_forgery :with => :exception
* removed warning because logger.warn differentiate the waringsKarunakar (Ruby)2012-01-051-1/+1
|
* Change log level for CSRF token verification warningMike Dillon2011-09-101-1/+1
|
* Changed a few instances of of words in the API docs written in British ↵Oemuer Oezkir2011-07-241-1/+1
| | | | | | English to American English(according to Weber)
* TODO fix explicitly loading exceptations, autoload removedVishnu Atrai2011-07-111-0/+1
|
* document handle_unverified_request methodVijay Dev2011-07-021-0/+2
|
* update doc about resetting the session in case of authenticity token mismatchVijay Dev2011-07-011-6/+5
|
* Merge branch 'master' of git://github.com/lifo/docrailsXavier Noria2011-05-251-3/+3
|\ | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/core_ext/kernel/requires.rb
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-26 18:20:17 +0000