Mailinglist Archive: obs-commits (345 mails)
| < Previous | Next > |
[obs-commits] [PATCH] [webui] Fix CSRF protection with Ajax POST/GET/... requests thru jQuery.
- From: OBS build-service <opensuse-buildservice@xxxxxxxxxxxx>
- Date: Thu, 3 Nov 2011 15:56:42 +0100
- Message-id: <1320332202-23422-1-git-send-email-opensuse-buildservice@opensuse.org>
From: Sascha Peilicke <saschpe@xxxxxxx>
Whenever 'protect_from_forgery' is set in the ApplicationController and a
non-GET request happens, Rails-2.x.x checks the 'authenticity_token' request
parameter for the CSRF protection token. For Rails-generated forms (like
<%= form_tag %>), the authenticity_token is an automatically added
hidden input field. For Ajax requests it's similar: Rails-2.x.x uses Prototype
as it's default JavaScript toolkit and adds some convenience wrapper to
automagically send the 'authenticity_token' (similar for jrails).
However, we are using the marvelous jQuery, thus we have to do this
ourselves. We could either add the authenticity token in every jQuery
Ajax request like this:
$.ajax({
url: '<%= url_for ..., %>,'
data: {
authenticity_token: '<%= form_authenticity_token %>',
...
},
success: function() { ... }
});
Instead, this commit implements the solution posted here:
http://henrik.nyh.se/2008/05/rails-authenticity-token-with-jquery
---
.../vendor/bento/layouts/application.html.erb | 4 ++++
src/webui/public/javascripts/application.js | 8 ++++++++
src/webui/public/javascripts/layout-squashed.js | 10 +++++++++-
3 files changed, 21 insertions(+), 1 deletions(-)
diff --git a/src/webui/app/views/vendor/bento/layouts/application.html.erb
b/src/webui/app/views/vendor/bento/layouts/application.html.erb
index f2f982d..65176f3 100644
--- a/src/webui/app/views/vendor/bento/layouts/application.html.erb
+++ b/src/webui/app/views/vendor/bento/layouts/application.html.erb
@@ -45,6 +45,10 @@
<% end %>
<%= yield :ready_function %>
});
+ <%# See:
http://henrik.nyh.se/2008/05/rails-authenticity-token-with-jquery and %>
+ <% if protect_against_forgery? %>
+ var CSRF_PROTECT_AUTH_TOKEN = <%= raw form_authenticity_token.inspect
%>;
+ <% end %>
<% end %>
</head>
diff --git a/src/webui/public/javascripts/application.js
b/src/webui/public/javascripts/application.js
index 320c90b..b49fc7d 100644
--- a/src/webui/public/javascripts/application.js
+++ b/src/webui/public/javascripts/application.js
@@ -237,3 +237,11 @@ function resizeMonitorBoxes()
});
}
+
+$(document).ajaxSend(function(event, request, settings) {
+ if (typeof(CSRF_PROTECT_AUTH_TOKEN) == "undefined") return;
+ // settings.data is a serialized string like "foo=bar&baz=boink" (or null)
+ settings.data = settings.data || "";
+ settings.data += (settings.data ? "&" : "") + "authenticity_token=" +
encodeURIComponent(CSRF_PROTECT_AUTH_TOKEN);
+});
+
diff --git a/src/webui/public/javascripts/layout-squashed.js
b/src/webui/public/javascripts/layout-squashed.js
index dae5a59..82c446c 100644
--- a/src/webui/public/javascripts/layout-squashed.js
+++ b/src/webui/public/javascripts/layout-squashed.js
@@ -451,7 +451,7 @@ function setup_buildresult_tooltip(element_id, url) {
return "<div id='" + element_id + "_tooltip' style='width:
500px;'>loading buildresult...</div>";
}
});
- $('#' + element_id ).mouseover(function() {
+ $('#' + element_id).mouseover(function() {
if ($('#' + element_id + '_tooltip').html() == 'loading
buildresult...') {
$('#' + element_id + '_tooltip').load(url);
}
@@ -628,3 +628,11 @@ function resizeMonitorBoxes()
});
}
+
+$(document).ajaxSend(function(event, request, settings) {
+ if (typeof(CSRF_PROTECT_AUTH_TOKEN) == "undefined") return;
+ // settings.data is a serialized string like "foo=bar&baz=boink" (or null)
+ settings.data = settings.data || "";
+ settings.data += (settings.data ? "&" : "") + "authenticity_token=" +
encodeURIComponent(CSRF_PROTECT_AUTH_TOKEN);
+});
+
--
1.7.7
--
To unsubscribe, e-mail: obs-commits+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: obs-commits+owner@xxxxxxxxxxxx
Whenever 'protect_from_forgery' is set in the ApplicationController and a
non-GET request happens, Rails-2.x.x checks the 'authenticity_token' request
parameter for the CSRF protection token. For Rails-generated forms (like
<%= form_tag %>), the authenticity_token is an automatically added
hidden input field. For Ajax requests it's similar: Rails-2.x.x uses Prototype
as it's default JavaScript toolkit and adds some convenience wrapper to
automagically send the 'authenticity_token' (similar for jrails).
However, we are using the marvelous jQuery, thus we have to do this
ourselves. We could either add the authenticity token in every jQuery
Ajax request like this:
$.ajax({
url: '<%= url_for ..., %>,'
data: {
authenticity_token: '<%= form_authenticity_token %>',
...
},
success: function() { ... }
});
Instead, this commit implements the solution posted here:
http://henrik.nyh.se/2008/05/rails-authenticity-token-with-jquery
---
.../vendor/bento/layouts/application.html.erb | 4 ++++
src/webui/public/javascripts/application.js | 8 ++++++++
src/webui/public/javascripts/layout-squashed.js | 10 +++++++++-
3 files changed, 21 insertions(+), 1 deletions(-)
diff --git a/src/webui/app/views/vendor/bento/layouts/application.html.erb
b/src/webui/app/views/vendor/bento/layouts/application.html.erb
index f2f982d..65176f3 100644
--- a/src/webui/app/views/vendor/bento/layouts/application.html.erb
+++ b/src/webui/app/views/vendor/bento/layouts/application.html.erb
@@ -45,6 +45,10 @@
<% end %>
<%= yield :ready_function %>
});
+ <%# See:
http://henrik.nyh.se/2008/05/rails-authenticity-token-with-jquery and %>
+ <% if protect_against_forgery? %>
+ var CSRF_PROTECT_AUTH_TOKEN = <%= raw form_authenticity_token.inspect
%>;
+ <% end %>
<% end %>
</head>
diff --git a/src/webui/public/javascripts/application.js
b/src/webui/public/javascripts/application.js
index 320c90b..b49fc7d 100644
--- a/src/webui/public/javascripts/application.js
+++ b/src/webui/public/javascripts/application.js
@@ -237,3 +237,11 @@ function resizeMonitorBoxes()
});
}
+
+$(document).ajaxSend(function(event, request, settings) {
+ if (typeof(CSRF_PROTECT_AUTH_TOKEN) == "undefined") return;
+ // settings.data is a serialized string like "foo=bar&baz=boink" (or null)
+ settings.data = settings.data || "";
+ settings.data += (settings.data ? "&" : "") + "authenticity_token=" +
encodeURIComponent(CSRF_PROTECT_AUTH_TOKEN);
+});
+
diff --git a/src/webui/public/javascripts/layout-squashed.js
b/src/webui/public/javascripts/layout-squashed.js
index dae5a59..82c446c 100644
--- a/src/webui/public/javascripts/layout-squashed.js
+++ b/src/webui/public/javascripts/layout-squashed.js
@@ -451,7 +451,7 @@ function setup_buildresult_tooltip(element_id, url) {
return "<div id='" + element_id + "_tooltip' style='width:
500px;'>loading buildresult...</div>";
}
});
- $('#' + element_id ).mouseover(function() {
+ $('#' + element_id).mouseover(function() {
if ($('#' + element_id + '_tooltip').html() == 'loading
buildresult...') {
$('#' + element_id + '_tooltip').load(url);
}
@@ -628,3 +628,11 @@ function resizeMonitorBoxes()
});
}
+
+$(document).ajaxSend(function(event, request, settings) {
+ if (typeof(CSRF_PROTECT_AUTH_TOKEN) == "undefined") return;
+ // settings.data is a serialized string like "foo=bar&baz=boink" (or null)
+ settings.data = settings.data || "";
+ settings.data += (settings.data ? "&" : "") + "authenticity_token=" +
encodeURIComponent(CSRF_PROTECT_AUTH_TOKEN);
+});
+
--
1.7.7
--
To unsubscribe, e-mail: obs-commits+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: obs-commits+owner@xxxxxxxxxxxx
| < Previous | Next > |