I have a page(like https://www.helloabc.com/han.html) that is loaded inside an iframe on an app of different domain. I added the following to enable loading the page in an iframe to remove the error("Refused to display document because display forbidden by X-Frame-Options").
config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM https://xyz.com"
The iframe page sends data through ajax json to another page as follows .
$.ajax({ url: 'https://www.helloabc.com/hello’, type: 'POST', dataType: 'json', data: { "url" : hjurl, "data" : senddatavar }, success: function(a){ console.log("success"); console.log(a.message); }, error: function(request, status, error) { console.log("error"); } });
I received it as follows
heroku[router]: at=info method=POST path="/hello" host=www.helloabc.com request_id=7163f18c-16c8-47ab-b4bf-602d12c9c67d fwd="117.203.154.1" dyno=web.1 connect=3ms service=13ms status=422 bytes=359 app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07 12:15:59 +0000 app[web.1]: Completed 422 Unprocessable Entity in 1ms app[web.1]: Processing by HomePageController#hellojson as JSON app[web.1]: Parameters: {"url"=>"https://abc.yupp.com/hs/_/krfdsgea", "data"=>{"0"=>{"id"=>"231bacacdsf928", "person"=>{"id"=>"2342762436", "dName"=>"wwwww", "image"=>{"url"=>"https://sbc/photo.jpg"\}},}}} app[web.1]: Can't verify CSRF token authenticity app[web.1]: app[web.1]: ActionController::InvalidAuthenticityToken (ActionController::InvalidAuthenticityToken):
So I changed my controller as follows to avoid this problem
class HomePageController < ApplicationController
skip_before_filter :verify_authenticity_token, only: [:hellojson]
def hello end
def hellojson respond_to do |format| format.html format.json { render :json => { :status => 'Ok', :message => 'Received'}, :status => 200 } end end
end
I just read that adding "skip_before_filter :verify_authenticity_token" will lead to serious security problem. How do I solve this?
After this I am able to receive data and I receive 200 ok in my iframe page.
heroku[router]: at=info method=POST path="/hello" host=www.helloabc.com request_id=ac3ed869-75cc-484f-94ea-65ea2fccbb9e fwd="117.203.154.1" dyno=web.1 connect=3ms service=26ms status=200 bytes=900 app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07 16:45:29 +0000 app[web.1]: Processing by HomePageController#hellojson as JSON app[web.1]: Parameters: {"url"=>"https://abc.yupp.com/hs/_/krki5gea", "data"=>{"0"=>{"id"=>"937bacaeb0f928", "person"=>{"id"=>"1984762436", "dName"=>"zzzzz", "image"=>{"url"=>"https://sbc/photo.jpg"\}}, }}} app[web.1]: Completed 200 OK in 2ms (Views: 0.4ms | ActiveRecord: 0.0ms)
I am new to rails. I don't know how to grab this data and store it. And I dont know how to do it the right way. Can anyone please share what is the best practice to send data through ajax securely and store it?