class ApplicationController < ActionController::Base | |
before_filter :ensure_xhr | |
private | |
def ensure_xhr | |
if request.get? && request.format && (request.format.js? || request.format.json?) | |
head :forbidden unless request.xhr? | |
end | |
end | |
end |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
Don't bork your JSON API: class Api::BaseController < ApplicationController
skip_before_filter :ensure_xhr
end |
tundal45
commented
Dec 2, 2013
@javan Confused why you would need to skip the before filter in API. Wouldn't |
Draiken
commented
Dec 2, 2013
@tundal45 Not really. I can access an API through any place, not just the browser. |
@tundal45 |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
dhh
Dec 2, 2013
Worth noting is that this would go hand-in-hand with all GET .js requests getting the xhr header added. So this would protect on all verbs, including GET.
dhh
commented
Dec 2, 2013
Worth noting is that this would go hand-in-hand with all GET .js requests getting the xhr header added. So this would protect on all verbs, including GET. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
homakov
commented
Dec 2, 2013
API doesn't usually use cookies so no private info can be CSRF-ed. |
homakov
commented
Dec 2, 2013
@javan what about actions working like this
They don't have specified params[:format]. I've seen it in the wild |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment Hide comment
@homakov If the incoming request doesn't have .js in the path or a javascript Accept header, |
Don't bork your JSON API: