New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add report_csrf_failure, enable custom reports #1573

Merged
merged 3 commits into from Feb 13, 2014

Conversation

Projects
None yet
4 participants
@ujifgc
Member

ujifgc commented Feb 3, 2014

ref #1566

To render custom error add to your app

enable :protect_from_csrf
enable :report_csrf_failure
error 403 do
  render 'base/error'
end
@dariocravero

This comment has been minimized.

Show comment
Hide comment
@dariocravero

dariocravero Feb 3, 2014

Contributor

Thanks @ujifgc! Looks good to me. @skade, thoughts?

Contributor

dariocravero commented Feb 3, 2014

Thanks @ujifgc! Looks good to me. @skade, thoughts?

@skade

This comment has been minimized.

Show comment
Hide comment
@skade

skade Feb 4, 2014

Member

I would prefer if the old key still worked with a warning, for those that configured it.

Just to validate: The current solution doesn't short-circuit in the middleware stack, but instead halts in the routing layer by adding a condition to all routes that halts by default? Seems good to me.

The previous version stemmed from the fact that I tried to keep as close to Rack::Protection standard behaviour as possible.

Member

skade commented Feb 4, 2014

I would prefer if the old key still worked with a warning, for those that configured it.

Just to validate: The current solution doesn't short-circuit in the middleware stack, but instead halts in the routing layer by adding a condition to all routes that halts by default? Seems good to me.

The previous version stemmed from the fact that I tried to keep as close to Rack::Protection standard behaviour as possible.

@ujifgc

This comment has been minimized.

Show comment
Hide comment
@ujifgc

ujifgc Feb 4, 2014

Member

As the default behavior now to bubble 403 up to Sinatra do you see any point to watch after this allow_disabled_csrf? Would anyone disable allow_disabled_csrf manually? I added a deprecation notice.

Member

ujifgc commented Feb 4, 2014

As the default behavior now to bubble 403 up to Sinatra do you see any point to watch after this allow_disabled_csrf? Would anyone disable allow_disabled_csrf manually? I added a deprecation notice.

@nesquena nesquena added this to the 0.12.1 milestone Feb 9, 2014

@ujifgc

This comment has been minimized.

Show comment
Hide comment
@ujifgc

ujifgc Feb 13, 2014

Member

I reverted enabling report_csrf_failure by default and removed deprecation of enabled allow_disabled_csrf. Also improved tests to ensure custom errors are working.

Member

ujifgc commented Feb 13, 2014

I reverted enabling report_csrf_failure by default and removed deprecation of enabled allow_disabled_csrf. Also improved tests to ensure custom errors are working.

ujifgc added a commit that referenced this pull request Feb 13, 2014

Merge pull request #1573 from padrino/clarify-csrf
add report_csrf_failure, enable custom reports

@ujifgc ujifgc merged commit aa9d108 into master Feb 13, 2014

1 check passed

default The Travis CI build passed
Details

@ujifgc ujifgc deleted the clarify-csrf branch Feb 13, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment