#4084 UJS silently fails when csrf_meta_tag is not present - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#4084 ✓invalid

UJS silently fails when csrf_meta_tag is not present

Reported by Kieran P | March 2nd, 2010 @ 03:40 AM | in 3.0.2

The current Rails UJS files fail silently for things like link_to ..., :method => :delete, :confirm => 'Are you sure? when the tag for csrf_meta_tag is not sent. Since it is required, it really should throw an alert if the tag is not found, rather than confusing us poor people :-P

reference: http://www.themodestrubyist.com/2010/02/24/rails-3-ujs-and-csrf-met...

Comments and changes to this ticket

You flagged this item as spam.
Kieran P March 2nd, 2010 @ 03:42 AM
- Tag set to “ujs”
José Valim March 3rd, 2010 @ 09:07 AM
Please provide a patch!
You flagged this item as spam.
Steve St. Martin April 13th, 2010 @ 04:57 PM
- Tag changed from “ujs” to “patch, ujs”
resolved for jquery-ujs with commit http://github.com/rails/jquery-ujs/commit/ac78a119772f2d1bb495ff2b9..., patch provided for prototype-ujs
- csrf_token.diff 1 KB
You flagged this item as spam.
Steve St. Martin April 15th, 2010 @ 02:59 PM
- Assigned user set to “josh”
assigning to josh for commit to prototype driver
José Valim April 15th, 2010 @ 06:11 PM
- State changed from “new” to “resolved”
This is fixed on master.
You flagged this item as spam.
Kieran P April 15th, 2010 @ 08:25 PM
Actually José, it isn't fixed on the master yet: http://github.com/rails/rails/blob/master/railties/lib/rails/genera...
José Valim April 15th, 2010 @ 08:34 PM
Sorry, I completely misread the ticket.

At first, it was announcing when csrf_meta_tag was not present. But this was changed, because you may disable csrf protection in some pages and the javascript code should work anyway. So the current JS code is correct.

But I know it's a pain in the ass that it fails silently. Maybe we should try to do something in the Ruby side. For instance, whenever csrf protection is enabled but the user do not add call csrf_meta_tag, we could print a warning.

Ideas are welcome. :)
José Valim April 15th, 2010 @ 08:54 PM
- State changed from “resolved” to “open”
- Assigned user changed from “josh” to “José Valim”
- Milestone cleared.
You flagged this item as spam.
Steve St. Martin April 15th, 2010 @ 09:52 PM
I think this only really applies to links that have data-method other then GET, as form_for will create the token. Currently in the jQuery driver I'm only solving the most common use case of link_to :method => :delete with an exception as its part of the scaffolded code.

Keeping an eye on this so we can solve it in a consistent manner.
José Valim April 18th, 2010 @ 06:52 AM
I agree this is an issue, but I still disagree with the solution. The JS drivers should not enforce CSRF because Rails does not do so.
Dan Pickett May 15th, 2010 @ 01:49 AM
- Tag changed from “patch, ujs” to “bugmash, patch, ujs”
Rizwan Reza May 15th, 2010 @ 10:19 AM
- Tag changed from “bugmash, patch, ujs” to “patch, ujs”
- State changed from “open” to “invalid”
Jeremy Kemper October 15th, 2010 @ 11:01 PM
- Milestone set to “3.0.2”
- Importance changed from “” to “Low”
[bulk edit]