Rails4 - How to receive and send JSON data securely through Ajax and store it?

rubyonrails-talk
1

I have a page(like https://www.helloabc.com/han.html) that is loaded inside an iframe on an app of different domain. I added the following to enable loading the page in an iframe to remove the error("Refused to display document because display forbidden by X-Frame-Options").

config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM https://xyz.com"

The iframe page sends data through ajax json to another page as follows .

$.ajax({       url: 'https://www.helloabc.com/hello’,       type: 'POST',       dataType: 'json',       data: {         "url" : hjurl,         "data" : senddatavar       },       success: function(a){           console.log("success");           console.log(a.message);       },       error: function(request, status, error) {       console.log("error");       }     });

I received it as follows

heroku[router]: at=info method=POST path="/hello" host=www.helloabc.com request_id=7163f18c-16c8-47ab-b4bf-602d12c9c67d fwd="117.203.154.1" dyno=web.1 connect=3ms service=13ms status=422 bytes=359 app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07 12:15:59 +0000 app[web.1]: Completed 422 Unprocessable Entity in 1ms app[web.1]: Processing by HomePageController#hellojson as JSON app[web.1]: Parameters: {"url"=>"https://abc.yupp.com/hs/_/krfdsgea", "data"=>{"0"=>{"id"=>"231bacacdsf928", "person"=>{"id"=>"2342762436", "dName"=>"wwwww", "image"=>{"url"=>"https://sbc/photo.jpg"\}},}}} app[web.1]: Can't verify CSRF token authenticity app[web.1]: app[web.1]: ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):

So I changed my controller as follows to avoid this problem

class HomePageController < ApplicationController

  skip_before_filter :verify_authenticity_token, only: [:hellojson]

  def hello   end

  def hellojson     respond_to do |format|       format.html       format.json { render :json => { :status => 'Ok', :message => 'Received'}, :status => 200 }     end   end

end

I just read that adding "skip_before_filter :verify_authenticity_token" will lead to serious security problem. How do I solve this?

After this I am able to receive data and I receive 200 ok in my iframe page.

heroku[router]: at=info method=POST path="/hello" host=www.helloabc.com request_id=ac3ed869-75cc-484f-94ea-65ea2fccbb9e fwd="117.203.154.1" dyno=web.1 connect=3ms service=26ms status=200 bytes=900 app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07 16:45:29 +0000 app[web.1]: Processing by HomePageController#hellojson as JSON app[web.1]: Parameters: {"url"=>"https://abc.yupp.com/hs/_/krki5gea&quot;, "data"=>{"0"=>{"id"=>"937bacaeb0f928", "person"=>{"id"=>"1984762436", "dName"=>"zzzzz", "image"=>{"url"=>"https://sbc/photo.jpg&quot;\}}, }}} app[web.1]: Completed 200 OK in 2ms (Views: 0.4ms | ActiveRecord: 0.0ms)

I am new to rails. I don't know how to grab this data and store it. And I dont know how to do it the right way. Can anyone please share what is the best practice to send data through ajax securely and store it?

2

I have a page(like https://www.helloabc.com/han.html) that is loaded

inside an iframe on an app of different domain. I added the following to

enable loading the page in an iframe to remove the error("Refused to

display document because display forbidden by X-Frame-Options").

config.action_dispatch.default_headers[‘X-Frame-Options’] = "ALLOW-FROM

https://xyz.com"

Just a warning - Allow-from isn’t supported by all browsers (X-Frame-Options - HTTP | MDN)

I just read that adding “skip_before_filter :verify_authenticity_token”

will lead to serious security problem. How do I solve this?

Skipping the authenticity token means that a 3rd party can trick one of your users into loading https://www.helloabc.com/hello (for example, if they visit a page with an image whose src is set to that). Furthermore, if the user is logged in, then the that request is made with those users credentials.

This is not necessarily a problem: for example if your hellojson action doesn’t require authentication in the first place, then you’ve not enabled the attacker to do anything they can’t already do.

It’s not clear to me what the iframe has to do with all this - is the relevance just that since your session cookie is a 3rd party cookie, it’s not being saved?

Fred

3

Hey Frederick Cheung thanks for the reply. I removed "skip_before_filter :verify_authenticity_token" and I sent authenticity token as parameter and it worked. :slight_smile: