Rails 4.0 + Rails 4.1 CSRF problems affecting IE 11, Edge, newer versions of Android and mobile Safari
22 views
Skip to first unread message
Jason Fleetwood-Boldt
Aug 7, 2017, 1:35:39 PM8/7/17
to rubyonra...@googlegroups.com
Rails community,
I have been investigating and debugging a serious, widespread problems with our Rails 4.1 app (I realize Rails 4.1 is no longer supported, see below.)
This is not a simple "pass the CSFR token from the form to the controller" question.
This appears to me to be a serious, widespread architectural flaw in Rails 4.0 and Rails 4.1 that appear to basically make those versions of Rails essentially incompatible with newer browsers. (The newer browsers, by the way, appear not to be respecting Cache-control headers, which looks to me the like the root of the problem)
The problem is detailed here:
Quick question:
As explained here, I understand that the CSRF implementation to be different in Rails 5. Specifically, each form gets its own token. My question is this: Does this new design in Rails 5 eliminate or lessen the symptom described in my SO post above?
If so, this would be a compelling reason for us to upgrade to Rails 5, as we think we are loosing a significant amount of traffic due to this bug.
If not, I am wondering if others are seeing this too and what can be done to address this issue.
-Jason
Jason Fleetwood-Boldt
Aug 7, 2017, 2:59:11 PM8/7/17
to rubyonra...@googlegroups.com
Incidentally, shortly after I wrote this I think I came across a lead as to what our problem is.
Nonetheless, I am still interested in hearing from community if this affects others and how people went about debugging/fixing it.
following up on the SO post actually is slightly easier than processing email chains, so if anyone has anything to add to the SO post please feel free to post it there.
-Jason
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
To post to this group, send email to rubyonra...@googlegroups.com.
Visit this group at https://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/d/optout.
Jason Fleetwood-Boldt
Sep 6, 2017, 2:06:22 PM9/6/17
to rubyonra...@googlegroups.com
Just wanted to follow up on this message from August 7th to report that I have identified the problem and implemented a fix.
Specifically, I am brining this to the attention of Rails-core because the default cache-control headers in Rails cause the problem.
Importantly, the problem affects newer browsers, not older ones — like Edge 13 & 14, newer Android Chrome clients, etc. (We rarely bugs that affect newer clients only, which is why I'm highlighting this.)
Obviously, this is easily patched on any version of Rails right inside your ApplicationController.
Nonetheless, I think it is significant enough of a bug that the Rails core might want to review it and consider changing the default cache-control headers in future versions of Rails. As it is easily patch in one's own app, I see no need to patch previous versions.
Essentially, for a working no-cache strategy, what you want is this:
def set_cache_headers
response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
response.headers["Pragma"] = "no-cache"
response.headers["Expires"] = "Mon, 01 Jan 1990 00:00:00 GMT"
end
> Begin forwarded message:
Specifically, I am brining this to the attention of Rails-core because the default cache-control headers in Rails cause the problem.
Importantly, the problem affects newer browsers, not older ones — like Edge 13 & 14, newer Android Chrome clients, etc. (We rarely bugs that affect newer clients only, which is why I'm highlighting this.)
Obviously, this is easily patched on any version of Rails right inside your ApplicationController.
Nonetheless, I think it is significant enough of a bug that the Rails core might want to review it and consider changing the default cache-control headers in future versions of Rails. As it is easily patch in one's own app, I see no need to patch previous versions.
Essentially, for a working no-cache strategy, what you want is this:
def set_cache_headers
response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
response.headers["Pragma"] = "no-cache"
response.headers["Expires"] = "Mon, 01 Jan 1990 00:00:00 GMT"
end
> Begin forwarded message:
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> Visit this group at https://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/d/optout.
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-co...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> Visit this group at https://groups.google.com/group/rubyonrails-core.
> For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages