Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Spelling/typo/grammatical fixes [ci skip] | karanarora | 2015-05-23 | 1 | -1/+1 |
| | | | | | | | | | | spelling fix [ci skip] example to be consistent [ci skip] grammatical fix typo fixes [ci skip] | ||||
* | Merge branch 'master' of github.com:rails/docrails | Vijay Dev | 2015-05-08 | 1 | -1/+1 |
|\ | |||||
| * | Add missing "of" to RequestForgeryProtection doc. | Hendy Tanata | 2015-04-27 | 1 | -1/+1 |
| | | | | | | | | [ci skip] | ||||
* | | Updated request_forgery_protection docs [ci skip] | Prathamesh Sonpatki | 2015-04-28 | 1 | -5/+6 |
|/ | | | | | | - Changed Javascript to JavaScript. - Added full-stop which was missing, also wrapped the sentence to 80 chars. - Changed proc to Proc and oauth to OAuth. | ||||
* | Add note regarding CSRF for APIs, as a use-case for skipping it [ci skip] | Zachary Scott | 2015-04-12 | 1 | -0/+4 |
| | |||||
* | Apply comments from @jeremy regarding why HTML and Javascript requests | Zachary Scott | 2015-04-12 | 1 | -0/+5 |
| | | | | | | specifically are checked for CSRF, when dealing with the browser. [ci skip] | ||||
* | update request_forgery_protection docs [ci skip] | Vladimir Lyzo | 2015-04-12 | 1 | -7/+8 |
| | |||||
* | Try only to decode strings | Rafael Mendonça França | 2015-02-18 | 1 | -2/+4 |
| | | | | | This approach will avoid us to check for NoMethodError when trying to decode | ||||
* | Handle non-string authenticity tokens | Ville Lautanala | 2015-02-12 | 1 | -1/+1 |
| | | | | Non-string authenticity tokens raised NoMethodError when decoding the masked token. | ||||
* | Add prepend option to protect_from_forgery. | Josef Šimánek | 2015-01-08 | 1 | -1/+8 |
| | |||||
* | Improve protect_from_forgery documentation. [ci skip]. | Josef Šimánek | 2015-01-06 | 1 | -3/+3 |
| | |||||
* | Document all options for protect_from_forgery. | Josef Šimánek | 2015-01-04 | 1 | -8/+2 |
| | | | | [ci skip] | ||||
* | Merge pull request #18102 from arthurnn/nodoc_constant | Arthur Nogueira Neves | 2014-12-19 | 1 | -0/+1 |
| | | | | Add nodoc to some constants [skip ci] | ||||
* | Use AS secure_compare for CSRF token comparison | Guillermo Iguaran | 2014-10-23 | 1 | -2/+2 |
| | |||||
* | Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-token | Jeremy Kemper | 2014-08-19 | 1 | -3/+65 |
|\ | | | | | CSRF token mask from breach-mitigation-rails gem | ||||
| * | Auth token mask from breach-mitigation-rails gem | Bradley Buda | 2014-08-19 | 1 | -3/+65 |
| | | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks. | ||||
* | | Uppercase HTML in docs. | Hendy Tanata | 2014-08-08 | 1 | -2/+2 |
|/ | | | | [skip ci] | ||||
* | Fix protect_from_forgery docs | David Albert | 2014-07-27 | 1 | -1/+1 |
| | |||||
* | Moved 'params[request_forgery_protection_token]' into its own method and ↵ | Tom Kadwill | 2014-05-06 | 1 | -1/+1 |
| | | | | improved tests. | ||||
* | Make CSRF failure logging optional/configurable. | John Barton (joho) | 2014-03-05 | 1 | -1/+7 |
| | | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default. | ||||
* | Clearly limit new CSRF protection to GET requests | Jeremy Kemper | 2013-12-17 | 1 | -2/+7 |
| | |||||
* | CSRF protection from cross-origin <script> tags | Jeremy Kemper | 2013-12-17 | 1 | -13/+61 |
| | | | | Thanks to @homakov for sounding the alarm about JSONP-style data leaking | ||||
* | NullSessionHash#destroy should be a no-op | Jonathan Baudanza | 2013-09-18 | 1 | -0/+3 |
| | | | | Previously it was raising a NilException | ||||
* | [ci skip] document protect_against_forgery? method | Weston Platter | 2013-05-10 | 1 | -0/+1 |
| | |||||
* | This cache is not needed | Santiago Pastorino | 2013-02-21 | 1 | -2/+1 |
| | |||||
* | Use composition to figure out the forgery protection strategy | Santiago Pastorino | 2013-02-21 | 1 | -9/+27 |
| | |||||
* | Fix #9168 Initialize NullCookieJar with all options needed for KeyGenerator | Andrey Chernih | 2013-02-08 | 1 | -1/+1 |
| | |||||
* | Merge pull request #9032 from firmhouse/head-breaks-csrf | Santiago Pastorino | 2013-01-28 | 1 | -2/+2 |
|\ | | | | | Make HEAD work / convert to GET once more | ||||
| * | Added request.head? to forgery protection code | Michiel Sikkes | 2013-01-22 | 1 | -2/+2 |
| | | |||||
* | | Integrate Action Pack with Rack 1.5 | Carlos Antonio da Silva | 2013-01-25 | 1 | -3/+4 |
|/ | | | | | | All ActionPack and Railties tests are passing. Closes #8891. [Carlos Antonio da Silva + Santiago Pastorino] | ||||
* | use `_action` instead of `_filter` callbacks | Francesco Rodriguez | 2012-12-07 | 1 | -6/+6 |
| | |||||
* | Sign cookies using key deriver | Santiago Pastorino | 2012-11-03 | 1 | -4/+4 |
| | |||||
* | Multiple changes to 1,9 hash syntax | AvnerCohen | 2012-10-27 | 1 | -3/+3 |
| | |||||
* | Build fix for ActionMailer | Arun Agrawal | 2012-09-14 | 1 | -0/+1 |
| | | | | | | See http://travis-ci.org/#!/rails/rails/jobs/2444632 | ||||
* | Implement :null_session CSRF protection method | Sergey Nartimov | 2012-09-13 | 1 | -22/+70 |
| | | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does). | ||||
* | load active_support/core_ext/class/attribute in active_support/rails | Xavier Noria | 2012-08-02 | 1 | -1/+0 |
| | |||||
* | copy editing [ci skip] | Vijay Dev | 2012-06-14 | 1 | -4/+7 |
| | |||||
* | on CSRF whitelisting the argument for :if must be a symbol | Daniel Lopes | 2012-06-07 | 1 | -1/+1 |
| | |||||
* | fix typos on the CSRF whitelisting doc | Daniel Lopes | 2012-06-07 | 1 | -3/+3 |
| | |||||
* | Document the CSRF whitelisting on get requests | Daniel Lopes | 2012-06-07 | 1 | -5/+16 |
| | |||||
* | Removing ==Examples and last blank lines of docs from actionpack | Francesco Rodriguez | 2012-05-15 | 1 | -2/+0 |
| | |||||
* | CSRF messages are no longer controlled by 422.html because ↵ | Tony Primerano | 2012-03-28 | 1 | -1/+0 |
| | | | | InvalidAuthenticityToken is not raised | ||||
* | configure how unverified request will be handled | Sergey Nartimov | 2012-03-09 | 1 | -2/+18 |
| | | | | | | | | | | | | | can be configured using `:with` option in `protect_from_forgery` method or `request_forgery_protection_method` config option possible values: - :reset_session (default) - :exception new applications are generated with: protect_from_forgery :with => :exception | ||||
* | removed warning because logger.warn differentiate the warings | Karunakar (Ruby) | 2012-01-05 | 1 | -1/+1 |
| | |||||
* | Change log level for CSRF token verification warning | Mike Dillon | 2011-09-10 | 1 | -1/+1 |
| | |||||
* | Changed a few instances of of words in the API docs written in British ↵ | Oemuer Oezkir | 2011-07-24 | 1 | -1/+1 |
| | | | | | | English to American English(according to Weber) | ||||
* | TODO fix explicitly loading exceptations, autoload removed | Vishnu Atrai | 2011-07-11 | 1 | -0/+1 |
| | |||||
* | document handle_unverified_request method | Vijay Dev | 2011-07-02 | 1 | -0/+2 |
| | |||||
* | update doc about resetting the session in case of authenticity token mismatch | Vijay Dev | 2011-07-01 | 1 | -6/+5 |
| | |||||
* | Merge branch 'master' of git://github.com/lifo/docrails | Xavier Noria | 2011-05-25 | 1 | -3/+3 |
|\ | | | | | | | | | | | Conflicts: actionmailer/lib/action_mailer/base.rb activesupport/lib/active_support/core_ext/kernel/requires.rb |