Thursday, November 19, 2009

Open up your pages for outside requests

My previous post helps to POST a form to another site. Rails (in the current version anyway!) includes a basic solution to make XSS (Cross Site Scripting) or CSRF (Cross-Site Request Forgery) harder. In the application controller the protect_from_forgery method checks requests via a token. Of course from the outside you're not able to provide the right token...

Turning this protection off (with care and alternative protection measures, I suggest!) on specific actions is possible. This is an example.


protect_from_forgery :except => [:process_payment]


<

No comments:

Post a Comment