update request_forgery_protection docs #15608
Conversation
| @@ -27,20 +27,17 @@ class InvalidCrossOriginRequest < ActionControllerError #:nodoc: | |||
| # It's important to remember that XML or JSON requests are also affected and if | |||
| # you're building an API you'll need something like: | |||
| # | |||
| # class ApplicationController < ActionController::Base | |||
There was a problem hiding this comment.
It is better to keep ApplicationController. Even if the application consist on api an non-api it is still correct and doesn't need to explain what is a ApiController and how it would be used.
|
I've just updated commit |
|
I've just updated docs:
|
|
👍 |
|
IMO following sentence is wrong:
In code there is no limitation to CSRF-token checks only for html/javascript |
|
Yes. I think you are right. @jeremy do you know if this sentence is true (or were)? |
|
It is true. Only requests that maintain a session are checked, which means HTML for most apps. APIs typically aren't session oriented, so there will be no CSRF token to check against: https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L248-L262 |
|
@jeremy, in code that you noticed there is no limitation for html or javascript, besides exclusion HEAD and GET requests: !protect_against_forgery? || request.get? || request.head?
Rails has a good method for API CSRF protection: Look at commit 6efc5bf where this sentence appeared. Version before changes is more truthful, because it's that what makes the code.
IMO: First and second paragraphs should be about standard CSRF protection that you will get in new rails application. And third paragraph should explain API case of rails usage. |
|
Correct, there is no explicit format check in the code. The docs intend to communicate that session-oriented requests, like those made from a browser, are verified for authenticity. That happens to include HTML and JS requests, but it isn't limited to these. It's only written this way to be understandable to Rails users: that "browser requests" need CSRF checks. The docs may certainly be updated to to reflect this. They should be accurate about how CSRF decisions are made but should be very easy to understand. |
|
Why are JS and HTML requests highlights here as something special? What about a following variant:
|
|
@donbobka looks very sensible and clear |
|
@rafaelfranca What do you think about @a86ee8a? |
|
Sorry for the delay of 4 years 😱! Can you rebase this PR? |
|
@rafaelfranca I rebased it, but there are no changes against current master. And I see that changes already merged So, I think we can close it. |
|
Cool! I'll close. Thanks |
I made some documentation changes in request_forgery_protection.rb:
protect_from_forgeryby default use:null_sessionmethod, some lines of documentation are obsolete.ApplicationControllertoApiController.ApplicationControllercan mislead developers, because usually rails application consist of non-api controllers and api controllers