attack prevented by Rack::Protection::RemoteToken

1,015 views
Skip to first unread message

oilpastels

unread,
Dec 8, 2011, 10:29:02 AM12/8/11
to Rack Development
I have a sinatra app that works fine on Heroku, but when requested as
a page tab on facebook returns blank, and the logs read "attack
prevented by Rack::Protection::RemoteToken". What is this about?

Evgeni Dzhelyov

unread,
Dec 8, 2011, 12:20:03 PM12/8/11
to rack-...@googlegroups.com

mateo

unread,
Dec 8, 2011, 4:24:38 PM12/8/11
to Rack Development
Facebook requests pages via POST, and since the referrer is different,
it's tripping up your app's CSRF protection

oilpastels

unread,
Dec 8, 2011, 6:54:55 PM12/8/11
to Rack Development
The problem is exactly what mateo described. I spoke with Konstantin
Haase, the maintainer of the rack-protection gem referenced by Evgeni
above, and he instructed me to:

> set :protection, :except => [:remote_token, :frame_options]

And it worked.

vzmind

unread,
Feb 24, 2012, 8:50:06 AM2/24/12
to rack-...@googlegroups.com
I confirm that solve such issue. Just add
set :protection, :except => [:remote_token, :frame_options]
to your config.ru

----Tks
Reply all
Reply to author
Forward
0 new messages