Rails4 - How to receive and send JSON data securely through Ajax and store it?
50 views
Skip to first unread message
Suresh Kumar
Nov 9, 2014, 1:55:29 AM11/9/14
to rubyonra...@googlegroups.com
I have a page(like https://www.helloabc.com/han.html) that is loaded
inside an iframe on an app of different domain. I added the following to
enable loading the page in an iframe to remove the error("Refused to
display document because display forbidden by X-Frame-Options").
config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM
https://xyz.com"
The iframe page sends data through ajax json to another page as follows
.
$.ajax({
url: 'https://www.helloabc.com/hello',
type: 'POST',
dataType: 'json',
data: {
"url" : hjurl,
"data" : senddatavar
},
success: function(a){
console.log("success");
console.log(a.message);
},
error: function(request, status, error) {
console.log("error");
}
});
I received it as follows
heroku[router]: at=info method=POST path="/hello" host=www.helloabc.com
request_id=7163f18c-16c8-47ab-b4bf-602d12c9c67d fwd="117.203.154.1"
dyno=web.1 connect=3ms service=13ms status=422 bytes=359
app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07
12:15:59 +0000
app[web.1]: Completed 422 Unprocessable Entity in 1ms
app[web.1]: Processing by HomePageController#hellojson as JSON
app[web.1]: Parameters: {"url"=>"https://abc.yupp.com/hs/_/krfdsgea",
"data"=>{"0"=>{"id"=>"231bacacdsf928", "person"=>{"id"=>"2342762436",
"dName"=>"wwwww", "image"=>{"url"=>"https://sbc/photo.jpg"}},}}}
app[web.1]: Can't verify CSRF token authenticity
app[web.1]:
app[web.1]: ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
So I changed my controller as follows to avoid this problem
class HomePageController < ApplicationController
skip_before_filter :verify_authenticity_token, only: [:hellojson]
def hello
end
def hellojson
respond_to do |format|
format.html
format.json { render :json => { :status => 'Ok', :message =>
'Received'}, :status => 200 }
end
end
end
I just read that adding "skip_before_filter :verify_authenticity_token"
will lead to serious security problem. How do I solve this?
After this I am able to receive data and I receive 200 ok in my iframe
page.
heroku[router]: at=info method=POST path="/hello" host=www.helloabc.com
request_id=ac3ed869-75cc-484f-94ea-65ea2fccbb9e fwd="117.203.154.1"
dyno=web.1 connect=3ms service=26ms status=200 bytes=900
app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07
16:45:29 +0000
app[web.1]: Processing by HomePageController#hellojson as JSON
app[web.1]: Parameters: {"url"=>"https://abc.yupp.com/hs/_/krki5gea",
"data"=>{"0"=>{"id"=>"937bacaeb0f928", "person"=>{"id"=>"1984762436",
"dName"=>"zzzzz", "image"=>{"url"=>"https://sbc/photo.jpg"}}, }}}
app[web.1]: Completed 200 OK in 2ms (Views: 0.4ms | ActiveRecord: 0.0ms)
I am new to rails. I don't know how to grab this data and store it. And
I dont know how to do it the right way.
Can anyone please share what is the best practice to send data through
ajax securely and store it?
--
Posted via http://www.ruby-forum.com/.
inside an iframe on an app of different domain. I added the following to
enable loading the page in an iframe to remove the error("Refused to
display document because display forbidden by X-Frame-Options").
config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM
https://xyz.com"
The iframe page sends data through ajax json to another page as follows
.
$.ajax({
url: 'https://www.helloabc.com/hello',
type: 'POST',
dataType: 'json',
data: {
"url" : hjurl,
"data" : senddatavar
},
success: function(a){
console.log("success");
console.log(a.message);
},
error: function(request, status, error) {
console.log("error");
}
});
I received it as follows
heroku[router]: at=info method=POST path="/hello" host=www.helloabc.com
request_id=7163f18c-16c8-47ab-b4bf-602d12c9c67d fwd="117.203.154.1"
dyno=web.1 connect=3ms service=13ms status=422 bytes=359
app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07
12:15:59 +0000
app[web.1]: Completed 422 Unprocessable Entity in 1ms
app[web.1]: Processing by HomePageController#hellojson as JSON
app[web.1]: Parameters: {"url"=>"https://abc.yupp.com/hs/_/krfdsgea",
"data"=>{"0"=>{"id"=>"231bacacdsf928", "person"=>{"id"=>"2342762436",
"dName"=>"wwwww", "image"=>{"url"=>"https://sbc/photo.jpg"}},}}}
app[web.1]: Can't verify CSRF token authenticity
app[web.1]:
app[web.1]: ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):
So I changed my controller as follows to avoid this problem
class HomePageController < ApplicationController
skip_before_filter :verify_authenticity_token, only: [:hellojson]
def hello
end
def hellojson
respond_to do |format|
format.html
format.json { render :json => { :status => 'Ok', :message =>
'Received'}, :status => 200 }
end
end
end
I just read that adding "skip_before_filter :verify_authenticity_token"
will lead to serious security problem. How do I solve this?
After this I am able to receive data and I receive 200 ok in my iframe
page.
heroku[router]: at=info method=POST path="/hello" host=www.helloabc.com
request_id=ac3ed869-75cc-484f-94ea-65ea2fccbb9e fwd="117.203.154.1"
dyno=web.1 connect=3ms service=26ms status=200 bytes=900
app[web.1]: Started POST "/hello" for 117.203.154.1 at 2014-11-07
16:45:29 +0000
app[web.1]: Processing by HomePageController#hellojson as JSON
app[web.1]: Parameters: {"url"=>"https://abc.yupp.com/hs/_/krki5gea",
"data"=>{"0"=>{"id"=>"937bacaeb0f928", "person"=>{"id"=>"1984762436",
"dName"=>"zzzzz", "image"=>{"url"=>"https://sbc/photo.jpg"}}, }}}
app[web.1]: Completed 200 OK in 2ms (Views: 0.4ms | ActiveRecord: 0.0ms)
I am new to rails. I don't know how to grab this data and store it. And
I dont know how to do it the right way.
Can anyone please share what is the best practice to send data through
ajax securely and store it?
--
Posted via http://www.ruby-forum.com/.
Frederick Cheung
Nov 9, 2014, 11:08:51 AM11/9/14
to rubyonra...@googlegroups.com
On Sunday, November 9, 2014 6:55:29 AM UTC, Ruby-Forum.com User wrote:
I have a page(like https://www.helloabc.com/han.html) that is loaded
inside an iframe on an app of different domain. I added the following to
enable loading the page in an iframe to remove the error("Refused to
display document because display forbidden by X-Frame-Options").
config.action_dispatch.default_headers['X-Frame-Options'] = "ALLOW-FROM
https://xyz.com"
Just a warning - Allow-from isn't supported by all browsers (https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options)
I just read that adding "skip_before_filter :verify_authenticity_token"
will lead to serious security problem. How do I solve this?
Skipping the authenticity token means that a 3rd party can trick one of your users into loading https://www.helloabc.com/hello (for example, if they visit a page with an image whose src is set to that). Furthermore, if the user is logged in, then the that request is made with those users credentials.
This is not necessarily a problem: for example if your hellojson action doesn't require authentication in the first place, then you've not enabled the attacker to do anything they can't already do.
It's not clear to me what the iframe has to do with all this - is the relevance just that since your session cookie is a 3rd party cookie, it's not being saved?
Fred
Suresh Kumar
Nov 13, 2014, 5:34:31 AM11/13/14
to rubyonra...@googlegroups.com
Hey Frederick Cheung thanks for the reply.
I removed "skip_before_filter :verify_authenticity_token" and
I sent authenticity token as parameter and it worked. :)
I removed "skip_before_filter :verify_authenticity_token" and
I sent authenticity token as parameter and it worked. :)
Reply all
Reply to author
Forward
0 new messages