Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Prevent cross-origin js requests
class ApplicationController < ActionController::Base
before_filter :ensure_xhr
private
def ensure_xhr
if request.get? && request.format && (request.format.js? || request.format.json?)
head :forbidden unless request.xhr?
end
end
end
@homakov
Copy link

homakov commented Dec 2, 2013

@javan what about actions working like this

def index
  render 'index.js.erb'
end

They don't have specified params[:format]. I've seen it in the wild

@javan
Copy link
Author

javan commented Dec 2, 2013

@homakov If the incoming request doesn't have .js in the path or a javascript Accept header, request.format.js? will be false. If you've made the decision to still return js in that scenario then the above solution will not protect you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment