TEST_CODEOWNERS/rails
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Clearly limit new CSRF protection to GET requests

Browse Source
This commit is contained in:
Jeremy Kemper 2013-12-17 16:02:04 -07:00
parent d3fcaba626
commit 4f4fdd643f
2 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
actionpack/lib/action_controller/metal/request_forgery_protection.rb
View File

@ -190,7 +190,7 @@ def handle_unverified_request
# verify that JavaScript responses are for XHR requests, ensuring they
# follow the browser's same-origin policy.
def verify_authenticity_token
@marked_for_same_origin_verification = true
mark_for_same_origin_verification!
if !verified_request?
logger.warn "Can't verify CSRF token authenticity" if logger
@ -218,10 +218,15 @@ def verify_same_origin_request
end
end
# GET requests are checked for cross-origin JavaScript after rendering.
def mark_for_same_origin_verification!
@marked_for_same_origin_verification = request.get?
end
# If the `verify_authenticity_token` before_action ran, verify that
# JavaScript responses are only served to same-origin GET requests.
def marked_for_same_origin_verification?
defined? @marked_for_same_origin_verification
@marked_for_same_origin_verification ||= false
end
# Check for cross-origin JavaScript responses.

10
actionpack/test/controller/request_forgery_protection_test.rb
View File

@ -305,6 +305,16 @@ def test_should_only_allow_same_origin_js_get_with_xhr_header
end
end
# Allow non-GET requests since GET is all a remote <script> tag can muster.
def test_should_allow_non_get_js_without_xhr_header
assert_cross_origin_not_blocked { post :same_origin_js, custom_authenticity_token: @token }
assert_cross_origin_not_blocked { post :same_origin_js, format: 'js', custom_authenticity_token: @token }
assert_cross_origin_not_blocked do
@request.accept = 'text/javascript'
post :negotiate_same_origin, custom_authenticity_token: @token
end
end
def test_should_only_allow_cross_origin_js_get_without_xhr_header_if_protection_disabled
assert_cross_origin_not_blocked { get :cross_origin_js }
assert_cross_origin_not_blocked { get :cross_origin_js, format: 'js' }