#321 Add magic encoding comment to generated files - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#321 ✓stale

Add magic encoding comment to generated files

Reported by Michael Trim | June 3rd, 2008 @ 08:05 PM

This patch adds an option to prevent the CSRF (Cross-Site Request Forgery) protection token being included for an individual form, whilst still having the forgery protection enabled.

This is intented only for situations where the form is being submitted to a third-party (e.g. an external search). In such cases, CSRF protection is not needed and revealing the token to the third party is a security risk as they could then submit requests as the user.

Passes existing tests and adds one new test.

add_no_csrf_token_option_to_form_tag.patch 4.9 KB

Comments and changes to this ticket

Pratik June 5th, 2008 @ 10:16 PM
- State changed from “new” to “incomplete”
- Assigned user set to “Pratik”
I think the option should be ":protect_against_forgery => false" to be consistent with the rest of the stuff. Could you please upload a new patch with that ?
Cheers.
You flagged this item as spam.
Michael Trim June 6th, 2008 @ 02:35 AM
- Title changed from “Add :no_csrf_token option to form_tag” to “Add :protect_against_forgery option to form_tag”
Updated patch attached, although thinking about it a bit more I'm not sure whether this is worth the bother since one can easily write the html directly.
- add_protect_against_forgery_option_to_form_tag.patch 5.1 KB
Rohit Arondekar October 15th, 2010 @ 11:25 AM
- State changed from “incomplete” to “stale”
- Tag set to “actionpack, enhancement, patch, request-forgery-protection”
- Importance changed from “” to “Low”
Marking ticket as stale. If this is still an issue please leave a comment with suggested changes, creating a patch with tests, rebasing an existing patch or just confirming the issue on a latest release or master/branches.
Ryan Bigg October 21st, 2010 @ 03:39 AM
Automatic cleanup of spam.
Jeff Kreeftmeijer October 24th, 2010 @ 01:08 PM
Automatic cleanup of spam.
You flagged this item as spam.
bingbing March 26th, 2011 @ 01:19 AM
gucci watches