New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed csrf delete for generated scaffolding #356
Conversation
@elorest Can Amber have something like With params Instead of using direct links ? |
@faustinoaq it should be able to. @eliasjpr was working on If you wanted to pair on it I'd be happy to jump on as well as I've already played around with the concept. |
|
We can improve that later though. This just fixes a bug and should be merged asap in my opinion. |
Whether is should override GET with DELETE or use POST is a conversation we can have another day. However this is not a security concern since CSRF isn't concerned with man in the middle attacks or copy and pasting links. Please see conversation on issue #339 or read up on CSRF mitigation. |
@elorest - I agree this should get merged in ASAP. If this gets refactored / more work is done with CSRF and DELETE, we should write some tests around it. AFAIK, this was happening in production and the test suite didn't catch it. Is that waiting on the ability to do capybara type testing? |
Description of the Change
Fixes #339.
Also uses link helpers instead of
<a href...>
Alternate Designs
At some point we might want to use a helper to generate a form that posts or a JS hack that does it onclick.
Benefits
Protects from cross site scripting, so that javascript in other tabs can't post valid requests to domains associated with your cookies.