class ApplicationController < ActionController::Base | |
before_filter :ensure_xhr | |
private | |
def ensure_xhr | |
if request.get? && request.format && (request.format.js? || request.format.json?) | |
head :forbidden unless request.xhr? | |
end | |
end | |
end |
This comment has been minimized.
This comment has been minimized.
@javan Confused why you would need to skip the before filter in API. Wouldn't |
This comment has been minimized.
This comment has been minimized.
@tundal45 Not really. I can access an API through any place, not just the browser. |
This comment has been minimized.
This comment has been minimized.
@tundal45 |
This comment has been minimized.
This comment has been minimized.
Worth noting is that this would go hand-in-hand with all GET .js requests getting the xhr header added. So this would protect on all verbs, including GET. |
This comment has been minimized.
This comment has been minimized.
API doesn't usually use cookies so no private info can be CSRF-ed. |
This comment has been minimized.
This comment has been minimized.
@javan what about actions working like this
They don't have specified params[:format]. I've seen it in the wild |
This comment has been minimized.
This comment has been minimized.
@homakov If the incoming request doesn't have .js in the path or a javascript Accept header, |
This comment has been minimized.
Don't bork your JSON API: