Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF protection and <script> tags #21547

Closed
designgrill opened this issue Sep 8, 2015 · 3 comments
Closed

CSRF protection and <script> tags #21547

designgrill opened this issue Sep 8, 2015 · 3 comments
Labels
docs

Comments

@designgrill
Copy link

Rails guide and documentation here and here mentions that cross-site (or remote) <script> tags are blocked to get a javascript response. I think the messaging can be made better.

  • The blocking happens only for JS responses generated by a controller and doesn't apply to static files
  • The blocking happens irrespective of whether the request was a remote <script> or made through the same domain. Any JS response generated by a controller for a non XHR request, by default, even from the same origin, will get blocked.
@rafaelfranca
Copy link
Member

Could you please open a PR?

@designgrill
Copy link
Author

@rafaelfranca Sure. Will do that soon.

Raised it as an issue to check if I am missing something. A rails rookie here.

@rafaelfranca
Copy link
Member

I think you are correct but with a PR we can have a better idea on how you think the text could be improved and give better feedback.

@designgrill designgrill mentioned this issue Sep 14, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rafaelfranca @designgrill