A lot of people use the js responder with ujs, but there are often bugs with how jQuery handles the automatic code execution of js ajax responses, so I agree, it's something I wouldn't mind deprecating.
One reason people tend to use js responders is to use js.erb to embed values from ruby into the returned js, but I think a better way to do this is to use json and HTML data attributes to embed values when necessary.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.
--
|
@dhh as i mentioned above for GET request this will always be a security breach.
Rails.application.config.host = 'example.com'Rails.application.config.hosts = %w(example.com example.com.br)
http://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses
This is the solution used by Facebook and Google.
http://blag.7tonlnu.pl/blog/2012/09/27/json-hijacking-in-rails/
Rails should move on, to API-like servers and single page apps, not necessarily breaking old school tools, but such a dinosaur should be considered as a bad & insecure practise. Why patch it then at all?
--
This attack is not possible with non js content loaded by XHR or iframes, as the browser enforces cross-domain restrictions for both, and evil site will not be able to get at good site's content.
--
You received this message because you are subscribed to a topic in the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to rubyonrails-co...@googlegroups.com.
If the security concern is only about CSRF, what about not rendering CSRF token in templates at all?
I mean, UJS may solve this problem appending the CRSF token from meta tag.
If that�s not elegant since it will require javascript, even for static forms, we may do that only for .js.erb views.
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
I am trying to imagine "dynamically generated public JavaScript" but nothing comes to my mind.
--