I just changed my session store to use active record because it
appears session expiration and so on may be easier that way and it
seems like a better option.
I had commented those out during development because certain actions
would error out because of these.
For instance, I think I called remote_function() from java script and
just added :width=>something.
That added width into params, but I guess since it wasn't part of the
routing the forgery protection
flagged an error on it, is my guess.
Is the best way to go through and try to fix the routing for
everything ? I guess that might be the way I have to do it, I wanted
to check if I really need to do that for security as it's sort of a
pain in the neck to have to try to test
all the methods, fix the routing and such ..
I had commented those out during development because certain actions
would error out because of these.
If you're concerned about security then commenting that out to resolve
the errors you were getting in development was probably a mistake.
For instance, I think I called remote_function() from java script and
just added :width=>something.
That added width into params, but I guess since it wasn't part of the
routing the forgery protection
flagged an error on it, is my guess.
Is the best way to go through and try to fix the routing for
everything ? I guess that might be the way I have to do it, I wanted
to check if I really need to do that for security as it's sort of a
pain in the neck to have to try to test
all the methods, fix the routing and such ..
Also note that your subject line says Cross Site Scripting (XSS), which
is not the same as Cross Site Request Forgery (CSRF). The method
protect_from_forgery does nothing (as far as I understand it) to protect
against XSS. It only provides protection against CSRF.
But I get the error (below). I'm not sure if there's a proper way to
do it with remote_function() ?
Anyway, first I did the main dev, now I am trying to learn more on
security ..
Processing ShgridController#resize_field (for 155.x.x.x at 2009-03-26
16:28:11) [POST]
Session ID: 92c3ef636f552fbeff8e574d96bedb9f
Parameters: {"col"=>"5", "action"=>"resize_field",
"controller"=>"shgrid", "width"=>"66"}
User Load (0.000269) SELECT * FROM "users" WHERE (name = 'Zack2')
LIMIT 1
AdminSetting Load (0.000156) SELECT * FROM "admin_settings" LIMIT
1
But I get the error (below). I'm not sure if there's a proper way to
do it with remote_function() ?
Anyway, first I did the main dev, now I am trying to learn more on
security ..
Processing ShgridController#resize_field (for 155.x.x.x at 2009-03-26
16:28:11) [POST]
Session ID: 92c3ef636f552fbeff8e574d96bedb9f
Parameters: {"col"=>"5", "action"=>"resize_field",
"controller"=>"shgrid", "width"=>"66"}
User Load (0.000269) SELECT * FROM "users" WHERE (name = 'Zack2')
LIMIT 1
AdminSetting Load (0.000156) SELECT * FROM "admin_settings" LIMIT
1
You may just want to disable forgery protection for this one action, but
use it for all others. There might be a better solution than that, but
it should get you past this problem.
To make it dynamic, I would use form_authenticity_token, not the
actual value of it.
Thanks,
So I make the call like this, it works fine except I'm not sure why
the stuff in the :with part from javascript
doesn't make it into params when I have authenticity_token in
the :url part:
The other thing seems to be that if this is set in the base
controller:
protect_from_forgery :secret => '10aedsfsdafdasfasdfxvcxvhg'
Then it generates the authenticity tokens, regardless of whether the
check is made. That seems to break my remote_function call as
mentioned in the previous post (because the :with js stuff doesn't get
put into the url/ params.
since protect_from_forgery I guess it's called at the class level, I'm
not sure I can disable it for one action and have it turned on for
others ..
I can turn this off at the instance level:
self.allow_forgery_protection
but that doesn't fix my other problem ...