Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Change the `protect_from_forgery` prepend default to `false` | eileencodes | 2015-12-07 | 1 | -7/+7 |
| | | | | | | | | | | | | | | | | | | | | | Per this comment https://github.com/rails/rails/pull/18334#issuecomment-69234050 we want `protect_from_forgery` to default to `prepend: false`. `protect_from_forgery` will now be insterted into the callback chain at the point it is called in your application. This is useful for cases where you want to `protect_from_forgery` after you perform required authentication callbacks or other callbacks that are required to run after forgery protection. If you want `protect_from_forgery` callbacks to always run first, regardless of position they are called in your application, then you can add `prepend: true` to your `protect_from_forgery` call. Example: ```ruby protect_from_forgery prepend: true ``` | ||||
* | Add option to verify Origin header in CSRF checks | Ben Toews | 2015-11-25 | 1 | -2/+28 |
| | |||||
* | [ci skip] Fix document of `ActionController::RequestForgeryProtection` | yui-knk | 2015-09-28 | 1 | -0/+2 |
| | | | | | * add `end` to end of class definition * add a blank line between explanation and example code | ||||
* | Use rack.session_options instead of directly change env | Juanito Fatas | 2015-09-16 | 1 | -1/+1 |
| | |||||
* | fewer direct env manipulations | Aaron Patterson | 2015-09-15 | 1 | -1/+1 |
| | | | | this commit removes some direct access to `env`. | ||||
* | Another place to use a request object in NullSessionHash | Ronak Jangir | 2015-08-23 | 1 | -3/+3 |
| | | | | May be missed in 5fe141638f1243ac6ae187ae14aa398b4c1875a2 commit Also fixes the broken build | ||||
* | add a setter for the cookie jar | Aaron Patterson | 2015-08-06 | 1 | -1/+1 |
| | |||||
* | remove `@host` ivar | Aaron Patterson | 2015-08-05 | 1 | -7/+1 |
| | |||||
* | remove @secure ivar | Aaron Patterson | 2015-08-05 | 1 | -2/+1 |
| | |||||
* | CookieJar does not need the key_generator parameter anymore | Aaron Patterson | 2015-08-05 | 1 | -2/+1 |
| | |||||
* | stop using an options hash with the cookie jar | Aaron Patterson | 2015-08-05 | 1 | -1/+1 |
| | | | | | | | | The cookie jar can just ask the request object for the information it needs. This allows us to stop allocating hashes for options, and also allows us to delay calculating values in advance. Generating the options hash forced us to calculate values that we may never have needed at runtime | ||||
* | move env access to the request object. | Aaron Patterson | 2015-08-05 | 1 | -2/+2 |
| | | | | | | Accessing a request object has nice advantages over accessing a hash. If you use a missing method name, you'll get an exception rather than a `nil` (is one nice feature) | ||||
* | [ci skip] it should be protect_from_forgery | Aditya Kapoor | 2015-07-27 | 1 | -1/+1 |
| | |||||
* | Merge branch 'master' of github.com:rails/docrails | Vijay Dev | 2015-06-05 | 1 | -1/+1 |
|\ | |||||
| * | [ci skip] Upcase `is` | yui-knk | 2015-05-25 | 1 | -1/+1 |
| | | |||||
* | | Spelling/typo/grammatical fixes [ci skip] | karanarora | 2015-05-23 | 1 | -1/+1 |
|/ | | | | | | | | | | spelling fix [ci skip] example to be consistent [ci skip] grammatical fix typo fixes [ci skip] | ||||
* | Merge branch 'master' of github.com:rails/docrails | Vijay Dev | 2015-05-08 | 1 | -1/+1 |
|\ | |||||
| * | Add missing "of" to RequestForgeryProtection doc. | Hendy Tanata | 2015-04-27 | 1 | -1/+1 |
| | | | | | | | | [ci skip] | ||||
* | | Updated request_forgery_protection docs [ci skip] | Prathamesh Sonpatki | 2015-04-28 | 1 | -5/+6 |
|/ | | | | | | - Changed Javascript to JavaScript. - Added full-stop which was missing, also wrapped the sentence to 80 chars. - Changed proc to Proc and oauth to OAuth. | ||||
* | Add note regarding CSRF for APIs, as a use-case for skipping it [ci skip] | Zachary Scott | 2015-04-12 | 1 | -0/+4 |
| | |||||
* | Apply comments from @jeremy regarding why HTML and Javascript requests | Zachary Scott | 2015-04-12 | 1 | -0/+5 |
| | | | | | | specifically are checked for CSRF, when dealing with the browser. [ci skip] | ||||
* | update request_forgery_protection docs [ci skip] | Vladimir Lyzo | 2015-04-12 | 1 | -7/+8 |
| | |||||
* | Try only to decode strings | Rafael Mendonça França | 2015-02-18 | 1 | -2/+4 |
| | | | | | This approach will avoid us to check for NoMethodError when trying to decode | ||||
* | Handle non-string authenticity tokens | Ville Lautanala | 2015-02-12 | 1 | -1/+1 |
| | | | | Non-string authenticity tokens raised NoMethodError when decoding the masked token. | ||||
* | Add prepend option to protect_from_forgery. | Josef Šimánek | 2015-01-08 | 1 | -1/+8 |
| | |||||
* | Improve protect_from_forgery documentation. [ci skip]. | Josef Šimánek | 2015-01-06 | 1 | -3/+3 |
| | |||||
* | Document all options for protect_from_forgery. | Josef Šimánek | 2015-01-04 | 1 | -8/+2 |
| | | | | [ci skip] | ||||
* | Merge pull request #18102 from arthurnn/nodoc_constant | Arthur Nogueira Neves | 2014-12-19 | 1 | -0/+1 |
| | | | | Add nodoc to some constants [skip ci] | ||||
* | Use AS secure_compare for CSRF token comparison | Guillermo Iguaran | 2014-10-23 | 1 | -2/+2 |
| | |||||
* | Merge pull request #16570 from bradleybuda/breach-mitigation-mask-csrf-token | Jeremy Kemper | 2014-08-19 | 1 | -3/+65 |
|\ | | | | | CSRF token mask from breach-mitigation-rails gem | ||||
| * | Auth token mask from breach-mitigation-rails gem | Bradley Buda | 2014-08-19 | 1 | -3/+65 |
| | | | | | | | | | | | | | | | | | | | | | | | | This merges in the code from the breach-mitigation-rails gem that masks authenticity tokens on each request by XORing them with a random set of bytes. The masking is used to make it impossible for an attacker to steal a CSRF token from an SSL session by using techniques like the BREACH attack. The patch is pretty simple - I've copied over the [relevant code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb) and updated the tests to pass, mostly by adjusting stubs and mocks. | ||||
* | | Uppercase HTML in docs. | Hendy Tanata | 2014-08-08 | 1 | -2/+2 |
|/ | | | | [skip ci] | ||||
* | Fix protect_from_forgery docs | David Albert | 2014-07-27 | 1 | -1/+1 |
| | |||||
* | Moved 'params[request_forgery_protection_token]' into its own method and ↵ | Tom Kadwill | 2014-05-06 | 1 | -1/+1 |
| | | | | improved tests. | ||||
* | Make CSRF failure logging optional/configurable. | John Barton (joho) | 2014-03-05 | 1 | -1/+7 |
| | | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default. | ||||
* | Clearly limit new CSRF protection to GET requests | Jeremy Kemper | 2013-12-17 | 1 | -2/+7 |
| | |||||
* | CSRF protection from cross-origin <script> tags | Jeremy Kemper | 2013-12-17 | 1 | -13/+61 |
| | | | | Thanks to @homakov for sounding the alarm about JSONP-style data leaking | ||||
* | NullSessionHash#destroy should be a no-op | Jonathan Baudanza | 2013-09-18 | 1 | -0/+3 |
| | | | | Previously it was raising a NilException | ||||
* | [ci skip] document protect_against_forgery? method | Weston Platter | 2013-05-10 | 1 | -0/+1 |
| | |||||
* | This cache is not needed | Santiago Pastorino | 2013-02-21 | 1 | -2/+1 |
| | |||||
* | Use composition to figure out the forgery protection strategy | Santiago Pastorino | 2013-02-21 | 1 | -9/+27 |
| | |||||
* | Fix #9168 Initialize NullCookieJar with all options needed for KeyGenerator | Andrey Chernih | 2013-02-08 | 1 | -1/+1 |
| | |||||
* | Merge pull request #9032 from firmhouse/head-breaks-csrf | Santiago Pastorino | 2013-01-28 | 1 | -2/+2 |
|\ | | | | | Make HEAD work / convert to GET once more | ||||
| * | Added request.head? to forgery protection code | Michiel Sikkes | 2013-01-22 | 1 | -2/+2 |
| | | |||||
* | | Integrate Action Pack with Rack 1.5 | Carlos Antonio da Silva | 2013-01-25 | 1 | -3/+4 |
|/ | | | | | | All ActionPack and Railties tests are passing. Closes #8891. [Carlos Antonio da Silva + Santiago Pastorino] | ||||
* | use `_action` instead of `_filter` callbacks | Francesco Rodriguez | 2012-12-07 | 1 | -6/+6 |
| | |||||
* | Sign cookies using key deriver | Santiago Pastorino | 2012-11-03 | 1 | -4/+4 |
| | |||||
* | Multiple changes to 1,9 hash syntax | AvnerCohen | 2012-10-27 | 1 | -3/+3 |
| | |||||
* | Build fix for ActionMailer | Arun Agrawal | 2012-09-14 | 1 | -0/+1 |
| | | | | | | See http://travis-ci.org/#!/rails/rails/jobs/2444632 | ||||
* | Implement :null_session CSRF protection method | Sergey Nartimov | 2012-09-13 | 1 | -22/+70 |
| | | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does). |