Skip to content

Instantly share code, notes, and snippets.

Created November 30, 2013 22:06
  • Star 37 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Prevent cross-origin js requests
class ApplicationController < ActionController::Base
before_filter :ensure_xhr
def ensure_xhr
if request.get? && request.format && (request.format.js? || request.format.json?)
head :forbidden unless request.xhr?
Copy link

javan commented Dec 2, 2013

@homakov If the incoming request doesn't have .js in the path or a javascript Accept header, request.format.js? will be false. If you've made the decision to still return js in that scenario then the above solution will not protect you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment