I see, extracting it as a gem fix the problem, at least for the rails itself, which is what we want.
The extracted gem must explicitly explain the security concerns on the top of README, regardless of people usually don’t read it. Rails already did that for other features, for other reasons but the same idea applies, deprecate the usage on rails itself but allow who explicitly wants/needs to use. Time to pull request? Cheers, Gabriel Sobrinho gabrielsobrinho.com On Dec 2, 2013, at 12:19 PM, Egor Homakov <homa...@gmail.com> wrote: > Apparently many readers have no clue how this attack works, and people keep > asking the same questions. Thanks to people who clarified it in more details > than i did. > > All we can do is to add is-.xhr? protection or Warning (not necessarily > Deprecation). There are no other sane way to mitigate it. > > > > On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote: > https://github.com/rails/rails/issues/12374#issuecomment-29446761 > > Here in discussion I proposed to deprecate JS responder because this > technique is insecure and not pragmatic way to transfer data. > It can be exploited in this way > http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html > > i find this bug very often so i know what i'm talking about. With it attacker > can steal user data and authenticity_token if templates with form were leaked > too. > > > > > -- > You received this message because you are subscribed to a topic in the Google > Groups "Ruby on Rails: Core" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > rubyonrails-core+unsubscr...@googlegroups.com. > To post to this group, send email to rubyonrails-core@googlegroups.com. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-core+unsubscr...@googlegroups.com. To post to this group, send email to rubyonrails-core@googlegroups.com. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
