Re: [Rails] Re: Ajax CSRF in Rails3

2010-09-21 Thread radhames brito
class CryptoKeysController < ApplicationController ssl_required :show $.getScript('/profiles/crypto_key?callback=setCryptData', he is calling the show action with htts from a non https page -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" gr

[Rails] Re: Ajax CSRF in Rails3

2010-09-21 Thread Tim Shaffer
On Sep 21, 2:30 pm, radhames brito wrote: > just comfirmed an getscript does cross-domain calls > > some guys are using it to send https data over http > > http://www.viget.com/extend/secure-ajax-from-non-secure-pages/ Actually, that page specifically says that it doesn't work cross domain, or ev

Re: [Rails] Re: Ajax CSRF in Rails3

2010-09-21 Thread radhames brito
just comfirmed an getscript does cross-domain calls some guys are using it to send https data over http http://www.viget.com/extend/secure-ajax-from-non-secure-pages/ -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group

[Rails] Re: Ajax CSRF in Rails3

2010-09-21 Thread Tim Shaffer
On Sep 21, 12:23 pm, radhames brito wrote: > doesnt $.getScript passes from data from one domain to another? I doubt it. It probably uses XMLHttpRequest -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email t

Re: [Rails] Re: Ajax CSRF in Rails3

2010-09-21 Thread radhames brito
doesnt $.getScript passes from data from one domain to another? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonr

[Rails] Re: Ajax CSRF in Rails3

2010-09-21 Thread Ft51
Thanks, that makes sense! On Sep 21, 1:15 pm, Tim Shaffer wrote: > On Sep 21, 7:43 am, Ft51 wrote: > > > I'm using rails3. It does not seem to check the authenticity_token > > when doing a POST using Ajax. I traced this to: > > > module ActionDispatch > >   class Request < Rack::Request > >

[Rails] Re: Ajax CSRF in Rails3

2010-09-21 Thread Tim Shaffer
On Sep 21, 7:43 am, Ft51 wrote: > I'm using rails3. It does not seem to check the authenticity_token > when doing a POST using Ajax. I traced this to: > > module ActionDispatch >   class Request < Rack::Request > . >  def forgery_whitelisted? >       get? || xhr? || content_mime_type.nil? || !