Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Clearly limit new CSRF protection to GET requests

  • Loading branch information...
commit 4f4fdd643f9d19fbbeeec3ac77674f791c9beffa 1 parent d3fcaba
@jeremy jeremy authored
View
9 actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -190,7 +190,7 @@ def handle_unverified_request
# verify that JavaScript responses are for XHR requests, ensuring they
# follow the browser's same-origin policy.
def verify_authenticity_token
- @marked_for_same_origin_verification = true
+ mark_for_same_origin_verification!
if !verified_request?
logger.warn "Can't verify CSRF token authenticity" if logger
@@ -218,10 +218,15 @@ def verify_same_origin_request
end
end
+ # GET requests are checked for cross-origin JavaScript after rendering.
+ def mark_for_same_origin_verification!
+ @marked_for_same_origin_verification = request.get?
+ end
+
# If the `verify_authenticity_token` before_action ran, verify that
# JavaScript responses are only served to same-origin GET requests.
def marked_for_same_origin_verification?
- defined? @marked_for_same_origin_verification
+ @marked_for_same_origin_verification ||= false
end
# Check for cross-origin JavaScript responses.
View
10 actionpack/test/controller/request_forgery_protection_test.rb
@@ -305,6 +305,16 @@ def test_should_only_allow_same_origin_js_get_with_xhr_header
end
end
+ # Allow non-GET requests since GET is all a remote <script> tag can muster.
+ def test_should_allow_non_get_js_without_xhr_header
+ assert_cross_origin_not_blocked { post :same_origin_js, custom_authenticity_token: @token }
+ assert_cross_origin_not_blocked { post :same_origin_js, format: 'js', custom_authenticity_token: @token }
+ assert_cross_origin_not_blocked do
+ @request.accept = 'text/javascript'
+ post :negotiate_same_origin, custom_authenticity_token: @token
+ end
+ end
+
def test_should_only_allow_cross_origin_js_get_without_xhr_header_if_protection_disabled
assert_cross_origin_not_blocked { get :cross_origin_js }
assert_cross_origin_not_blocked { get :cross_origin_js, format: 'js' }

0 comments on commit 4f4fdd6

Please sign in to comment.
Something went wrong with that request. Please try again.