Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Remove unneeded comment in test. | Timm | 2014-06-16 | 1 | -1/+1 |
| | |||||
* | Nokogiri leaves '<' unescaped, so the assert_select looking for '<' will ↵ | Timm | 2014-06-16 | 1 | -2/+3 |
| | | | | never work. Switched to assert_matching the reponse body. | ||||
* | Fixed Nokogiri::CSS::SyntaxErrors. | Timm | 2014-06-15 | 1 | -2/+2 |
| | | | | Fixed a Nokogiri::CSS::SyntaxError by using its expected format for unicode characters. | ||||
* | Avoid hardcoded value in teardown. | Zuhao Wan | 2014-05-28 | 1 | -3/+6 |
| | |||||
* | Moved 'params[request_forgery_protection_token]' into its own method and ↵ | Tom Kadwill | 2014-05-06 | 1 | -5/+26 |
| | | | | improved tests. | ||||
* | Remove wrapper div for inputs in button_to | Rafael Mendonça França | 2014-04-17 | 1 | -1/+1 |
| | | | | Related with cbb917455f306cf5818644b162f22be09f77d4b2 | ||||
* | Update Request forgery tests to remove input wrappign div | Rafael Mendonça França | 2014-04-17 | 1 | -5/+5 |
| | | | | This was changed at cbb917455f306cf5818644b162f22be09f77d4b2 | ||||
* | Make CSRF failure logging optional/configurable. | John Barton (joho) | 2014-03-05 | 1 | -0/+16 |
| | | | | | Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection which is on by default. | ||||
* | Clearly limit new CSRF protection to GET requests | Jeremy Kemper | 2013-12-17 | 1 | -0/+10 |
| | |||||
* | CSRF protection from cross-origin <script> tags | Jeremy Kemper | 2013-12-17 | 1 | -9/+69 |
| | | | | Thanks to @homakov for sounding the alarm about JSONP-style data leaking | ||||
* | NullSessionHash#destroy should be a no-op | Jonathan Baudanza | 2013-09-18 | 1 | -0/+10 |
| | | | | Previously it was raising a NilException | ||||
* | Fix #9168 Initialize NullCookieJar with all options needed for KeyGenerator | Andrey Chernih | 2013-02-08 | 1 | -0/+35 |
| | |||||
* | Added a test that shows that a HEAD request does not normally pass CSRF ↵ | Michiel Sikkes | 2013-01-22 | 1 | -0/+4 |
| | | | | protection | ||||
* | deprecate `assert_blank` and `assert_present`. | Yves Senn | 2013-01-05 | 1 | -1/+1 |
| | | | | | They don't add any benefits over `assert object.blank?` and `assert object.present?` | ||||
* | Implement :null_session CSRF protection method | Sergey Nartimov | 2012-09-13 | 1 | -10/+6 |
| | | | | | | | | It's further work on CSRF after 245941101b1ea00a9b1af613c20b0ee994a43946. The :null_session CSRF protection method provide an empty session during request processing but doesn't reset it completely (as :reset_session does). | ||||
* | no need to pass an empty block to button_to helper | Sergey Nartimov | 2012-05-30 | 1 | -2/+2 |
| | |||||
* | Cover one more case in auth_token and remote forms | Piotr Sarnacki | 2012-03-28 | 1 | -0/+7 |
| | | | | | If embedding auth_token in remote forms is off and we pass a value for auth_token it should respect it. | ||||
* | config.action_view.embed_authenticity_token_in_remote_forms is true by default | Piotr Sarnacki | 2012-03-28 | 1 | -19/+14 |
| | | | | | | | Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms` to `false`. This change breaks remote forms that need to work also without javascript, so if you need such behavior, you can either set it to `true` or explicitly pass `:authenticity_token => true` in form options | ||||
* | Added config.action_view.embed_authenticity_token_in_remote_forms | Piotr Sarnacki | 2012-03-28 | 1 | -2/+48 |
| | | | | | | | | | | | | There is a regression introduced in 16ee611fa, which breaks remote forms that should also work without javascript. This commit introduces config option that allows to configure this behavior defaulting to the old behavior (ie. include authenticity token in remote forms by default) Conflicts: actionpack/CHANGELOG.md | ||||
* | fixed - warning: ambiguous first argument; put parentheses or even spaces | Sandeep | 2012-03-16 | 1 | -1/+1 |
| | |||||
* | Allow you to force the authenticity_token to be rendered even on remote ↵ | David Heinemeier Hansson | 2012-03-14 | 1 | -0/+11 |
| | | | | forms if you pass true | ||||
* | Do not include the authenticity token in forms where remote: true as ajax ↵ | David Heinemeier Hansson | 2012-03-14 | 1 | -0/+13 |
| | | | | forms use the meta-tag value | ||||
* | configure how unverified request will be handled | Sergey Nartimov | 2012-03-09 | 1 | -2/+2 |
| | | | | | | | | | | | | | can be configured using `:with` option in `protect_from_forgery` method or `request_forgery_protection_method` config option possible values: - :reset_session (default) - :exception new applications are generated with: protect_from_forgery :with => :exception | ||||
* | Add config.default_method_for_update to support PATCH | David Lee | 2012-02-22 | 1 | -1/+14 |
| | | | | | | | | | | | | | | | | PATCH is the correct HTML verb to map to the #update action. The semantics for PATCH allows for partial updates, whereas PUT requires a complete replacement. Changes: * adds config.default_method_for_update you can set to :patch * optionally use PATCH instead of PUT in resource routes and forms * adds the #patch verb to routes to detect PATCH requests * adds #patch? to Request * changes documentation and comments to indicate support for PATCH This change maintains complete backwards compatibility by keeping :put as the default for config.default_method_for_update. | ||||
* | Remove not used requires from csrf helper file and test | Carlos Antonio da Silva | 2012-01-21 | 1 | -7/+0 |
| | | | | | These requires were added in a87b92d and the implementation changed in 2cdc1f0, removing the need for them. | ||||
* | Remove rescue_action from compatibility module and tests | Carlos Antonio da Silva | 2012-01-17 | 1 | -2/+0 |
| | |||||
* | Use ensure instead of rescue | Mike Dillon | 2011-09-10 | 1 | -1/+1 |
| | |||||
* | Add test for warning and CHANGELOG entry | Mike Dillon | 2011-09-10 | 1 | -0/+16 |
| | |||||
* | Replace references to ActiveSupport::SecureRandom with just SecureRandom, ↵ | Jon Leighton | 2011-05-23 | 1 | -3/+3 |
| | | | | and require 'securerandom' from the stdlib when active support is required. | ||||
* | Test csrf token param name customization | David Lee | 2011-05-10 | 1 | -7/+18 |
| | |||||
* | Make csrf_meta_tags use the tag helper | James Robinson | 2011-04-08 | 1 | -5/+3 |
| | | | | Improved formatting of csrf_helper and improved test coverage | ||||
* | Change the CSRF whitelisting to only apply to get requests | Michael Koziarski | 2011-02-08 | 1 | -136/+75 |
| | | | | | | | | Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447 | ||||
* | put authenticity_token option in parity w/ remote | Dan Pickett | 2011-02-06 | 1 | -2/+2 |
| | | | | | | [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com> | ||||
* | Added tests for form_for and an authenticity_token option. Added docs for ↵ | Timothy N. Tsvetkov | 2011-02-05 | 1 | -0/+18 |
| | | | | | | | | for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers. [#6228 state:committed] Signed-off-by: Santiago Pastorino <santiago@wyeworks.com> | ||||
* | authenticity_token option for form_tag [#2988 state:resolved] | Jakub Kuźma | 2011-01-09 | 1 | -0/+18 |
| | |||||
* | Fix indentation. | Emilio Tagua | 2010-09-27 | 1 | -19/+18 |
| | |||||
* | get csrf_meta_tag back to the generated layout in deference to existing ↵ | Xavier Noria | 2010-09-14 | 1 | -1/+1 |
| | | | | printed material, chomp also the generated HTML to be faithful to the output before the refactor | ||||
* | revises implementation and documentation of csrf_meta_tags, and aliases ↵ | Xavier Noria | 2010-09-11 | 1 | -2/+6 |
| | | | | csrf_meta_tag to it for backwards compatibilty | ||||
* | code gardening: we have assert_(nil|blank|present), more concise, with ↵ | Xavier Noria | 2010-08-17 | 1 | -1/+1 |
| | | | | better default failure messages - let's use them | ||||
* | Test that csrf meta content is html-escaped, too | Jeremy Kemper | 2010-02-04 | 1 | -1/+2 |
| | |||||
* | Revert dumb test | Jeremy Kemper | 2010-02-04 | 1 | -2/+2 |
| | |||||
* | HTML-escape csrf meta contents | Jeremy Kemper | 2010-02-04 | 1 | -2/+2 |
| | |||||
* | Expose CSRF param name also | Jeremy Kemper | 2010-02-04 | 1 | -1/+1 |
| | |||||
* | Expose CSRF tag for UJS adapters | Jeremy Kemper | 2010-02-04 | 1 | -1/+15 |
| | |||||
* | Move form_remote_tag and remote_form_for into prototype_legacy_helper | Joshua Peek | 2010-01-30 | 1 | -27/+18 |
| | |||||
* | Fix test bleed | Jeremy Kemper | 2009-11-18 | 1 | -1/+1 |
| | |||||
* | Extract form_authenticity_param instance method so it's overridable in ↵ | Jeremy Kemper | 2009-11-17 | 1 | -1/+19 |
| | | | | subclasses | ||||
* | Cleanup route reloading in tests. Prefer with_routing over using ↵ | Joshua Peek | 2009-08-16 | 1 | -5/+1 |
| | | | | ActionController::Routing::Routes directly | ||||
* | Don't check authenticity tokens for any AJAX requests | Ross Kaffenburger and Bryan Helmkamp | 2009-04-15 | 1 | -5/+6 |
| | |||||
* | Ruby 1.9 compat: rename deprecated assert_raises to assert_raise. | Jeremy Kemper | 2009-03-08 | 1 | -9/+9 |
| | | | | [#1617 state:resolved] |