Improve readability in CSRF section of guide
This commit is contained in:
parent
fef1064052
commit
705847578e
@ -196,7 +196,7 @@ This attack method works by including malicious code or a link in a page that ac
|
||||
|
||||
![](images/csrf.png)
|
||||
|
||||
In the [session chapter](#sessions) you have learned that most Rails applications use cookie-based sessions. Either they store the session id in the cookie and have a server-side session hash, or the entire session hash is on the client-side. In either case the browser will automatically send along the cookie on every request to a domain, if it can find a cookie for that domain. The controversial point is, that it will also send the cookie, if the request comes from a site of a different domain. Let's start with an example:
|
||||
In the [session chapter](#sessions) you have learned that most Rails applications use cookie-based sessions. Either they store the session id in the cookie and have a server-side session hash, or the entire session hash is on the client-side. In either case the browser will automatically send along the cookie on every request to a domain, if it can find a cookie for that domain. The controversial point is that if the request comes from a site of a different domain, it will also send the cookie. Let's start with an example:
|
||||
|
||||
* Bob browses a message board and views a post from a hacker where there is a crafted HTML image element. The element references a command in Bob's project management application, rather than an image file: `<img src="http://www.webapp.com/project/1/destroy">`
|
||||
* Bob's session at `www.webapp.com` is still alive, because he didn't log out a few minutes ago.
|
||||
@ -224,9 +224,9 @@ The HTTP protocol basically provides two main types of requests - GET and POST (
|
||||
* The interaction _changes the state_ of the resource in a way that the user would perceive (e.g., a subscription to a service), or
|
||||
* The user is _held accountable for the results_ of the interaction.
|
||||
|
||||
If your web application is RESTful, you might be used to additional HTTP verbs, such as PATCH, PUT or DELETE. Most of today's web browsers, however do not support them - only GET and POST. Rails uses a hidden `_method` field to handle this barrier.
|
||||
If your web application is RESTful, you might be used to additional HTTP verbs, such as PATCH, PUT or DELETE. Most of today's web browsers, however, do not support them - only GET and POST. Rails uses a hidden `_method` field to handle this barrier.
|
||||
|
||||
_POST requests can be sent automatically, too_. Here is an example for a link which displays `www.harmless.com` as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request.
|
||||
_POST requests can be sent automatically, too_. In this example, the link www.harmless.com is shown as the destination in the browser's status bar. But it has actually dynamically created a new form that sends a POST request.
|
||||
|
||||
```html
|
||||
<a href="http://www.harmless.com/" onclick="
|
||||
@ -1057,4 +1057,3 @@ The security landscape shifts and it is important to keep up to date, because mi
|
||||
* Subscribe to the Rails security [mailing list](http://groups.google.com/group/rubyonrails-security)
|
||||
* [Keep up to date on the other application layers](http://secunia.com/) (they have a weekly newsletter, too)
|
||||
* A [good security blog](https://www.owasp.org) including the [Cross-Site scripting Cheat Sheet](https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user