Skip to content
This repository
Browse code

removed reference to verify method

  • Loading branch information...
commit 09edaf49646c14b6162726c1fb2bc0e980c3962f 1 parent 527036e
Vijay Dev vijaydev authored

Showing 1 changed file with 1 addition and 9 deletions. Show diff stats Hide diff stats

  1. +1 9 railties/guides/source/security.textile
10 railties/guides/source/security.textile
Source Rendered
@@ -211,15 +211,7 @@ The HTTP protocol basically provides two main types of requests - GET and POST (
211 211
212 212 If your web application is RESTful, you might be used to additional HTTP verbs, such as PUT or DELETE. Most of today‘s web browsers, however do not support them - only GET and POST. Rails uses a hidden +_method+ field to handle this barrier.
213 213
214   -_(highlight)The verify method in a controller can make sure that specific actions may not be used over GET_. Here is an example to verify the use of the transfer action over POST. If the action comes in using any other verb, it redirects to the list action.
215   -
216   -<ruby>
217   -verify :method => :post, :only => [:transfer], :redirect_to => {:action => :list}
218   -</ruby>
219   -
220   -With this precaution, the attack from above will not work, because the browser sends a GET request for images, which will not be accepted by the web application.
221   -
222   -But this was only the first step, because _(highlight)POST requests can be sent automatically, too_. Here is an example for a link which displays www.harmless.com as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request.
  214 +_(highlight)POST requests can be sent automatically, too_. Here is an example for a link which displays www.harmless.com as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request.
223 215
224 216 <html>
225 217 <a href="http://www.harmless.com/" onclick="

0 comments on commit 09edaf4

Please sign in to comment.
Something went wrong with that request. Please try again.