This project is archived and is in readonly mode.
authenticity_token appears in URLs after AJAX GET request
Reported by James Le Cuirot | May 4th, 2008 @ 12:00 PM
If you create an AJAX request via remote_function and specify GET as the method, the authenticity_token parameter is added even though it isn't needed. Consequently, the authenticity_token appears in some URLs such as pagination links on the following page.
This patch ensures that the parameter is not added for GET requests. It checks against js_options rather than options to avoid the confusion surrounding method_option_to_s.
This has been tested with edge and 2.0.2.
Comments and changes to this ticket
-
Sean Ouimet May 5th, 2008 @ 12:08 PM
+1 ... had some code already close to doing this. did a before and after with applying this change and it is confirmed to remove the unnecessary token
The only annoyance was git didn't like applying the patch because of a lack of a valid email address
-
James Le Cuirot May 5th, 2008 @ 12:17 PM
Not sure what you mean but if you need my address, it's chewi@aura-online.co.uk.
-
Sean Ouimet May 5th, 2008 @ 12:22 PM
$ git am < ~/Desktop/authenticity-token-ajax-get.diff
Patch does not have a valid e-mail address.
-
James Le Cuirot May 5th, 2008 @ 12:35 PM
I'm still very new to git and while I understand the concept, it still confuses the hell out of me. However, from what I can see "am" is for merging patches from a mailbox. You should use "apply" instead.
-
Pratik May 11th, 2008 @ 10:46 PM
- State changed from new to incomplete
The patch needs tests.
Thanks!
-
James Le Cuirot May 11th, 2008 @ 11:22 PM
I was going to add some but I think forgery protection is disabled during tests anyway?
-
Pratik May 11th, 2008 @ 11:47 PM
Chewi, have a look at request_forgery_protection_test.rb file. That should give you a rough idea.
Thanks.
-
James Le Cuirot May 15th, 2008 @ 11:24 AM
Ah I was looking at prototype_helper_test.rb. The thing is there is currently no test to check whether remote_function DOES add the token for non-GET requests either. I guess I should write one for that too?
-
CancelProfileIsBroken August 3rd, 2009 @ 03:20 PM
- Tag set to actionpack, edge, patch, request-forgery-protection
- State changed from incomplete to resolved
Obsolete due to updates in the past year ;)
-
justin July 27th, 2010 @ 05:15 PM
- Importance changed from to
Why was this closed out as resolved with the note that it is obsolete?
I see this bug in 2.3.5 and the head of the Rails source (RC for Rails 3) shows the same code.
See line #620 of ActionView::Helpers#options_for_ajax here:
http://github.com/rails/rails/blob/master/actionpack/lib/action_vie...
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>