how do i find what ajax method is being used?. could you possibly give an example?
On Aug 29, 5:01 am, hitch <[EMAIL PROTECTED]> wrote: > The protect_from_forgery is on by default to prevent Cross Site > Request Forgery attacks. > > You don't normally have to add this to your controller. What you are > actually doing in this case is adding the call so that your ajax > method is NOT protected from attacks. > It might make more sense to use the following: > > protect_from_forgery :except => :your_ajax_method > > The end result should be the same. > And listing which methods should not have protection is probably a > more robust solution, since forgetting to add to the :except list will > generate the kind of error you are seeing. Forgetting to add methods > to the :only list will not generate any error messages. > > If you do not want to exclude your ajax method, your ajax submission > needs to include the token. This is done automatically by the > framework for most forms. > > On Aug 28, 8:46 am, "Tan YL" <[EMAIL PROTECTED]> wrote: > > > How come I have to add it in my controller to get rid of token error? > > > -----Original Message----- > > From: rubyonrails-talk@googlegroups.com > > > [mailto:[EMAIL PROTECTED] On Behalf Of Jorg Lueke > > Sent: Thursday, August 28, 2008 9:46 PM > > To: Ruby on Rails: Talk > > Subject: [Rails] Re: protect_from_forgery :only => [:create, :delete, > > :update] what does this do exactly? > > > It's the default in any rails 2.0 project. > > > On Aug 27, 9:54 am, "Tan YL" <[EMAIL PROTECTED]> wrote: > > > In production mode it's a default? Sorry still haven't got my app out of > > > development mode so I have no idea what happens during production. > > > > -----Original Message----- > > > From: rubyonrails-talk@googlegroups.com > > > > [mailto:[EMAIL PROTECTED] On Behalf Of Jorg Lueke > > > Sent: Wednesday, August 27, 2008 10:18 PM > > > To: Ruby on Rails: Talk > > > Subject: [Rails] Re: protect_from_forgery :only => [:create, :delete, > > > :update] what does this do exactly? > > > > (3)If it is that good should i use it in every controller?. Somebody > > > must thinkk so because it is the default in every app built. > > > > On Aug 27, 9:12 am, tyliong <[EMAIL PROTECTED]> wrote: > > > > protect_from_forgery :only => [:create, :delete, :update] > > > > > Questions: > > > > > (1)why do i need to put it in when i get an authenticate token error > > > > from passing an :id from the controller through AJAX? > > > > (2)are there any disadvantages in doing this(does this expose security > > > > loopholes)? > > > > (3)If it is that good should i use it in every controller? > > > > > from ruby api( i still don't understand what this means): > > > > Protecting controller actions from CSRF attacks by ensuring that all > > > > forms are coming from the current web application, not a forged link > > > > from another site, is done by embedding a token based on the session > > > > (which an attacker wouldn't know) in all forms and Ajax requests > > > > generated by Rails and then verifying the authenticity of that token > > > > in the controller. Only HTML/JavaScript requests are checked, so this > > > > will not protect your XML API (presumably you'll have a different > > > > authentication scheme there anyway). Also, GET requests are not > > > > protected as these should be indempotent anyway. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
