Sunday, November 9, 2014
On Sunday, November 9, 2014 6:55:29 AM UTC, Ruby-Forum.com User wrote:
I have a page(like https://www.helloabc.com/han.html ) that is loaded
inside an iframe on an app of different domain. I added the following to
enable loading the page in an iframe to remove the error("Refused to
display document because display forbidden by X-Frame-Options").
config.action_dispatch.default_headers['X-Frame- Options'] = "ALLOW-FROM
https://xyz.com"
Just a warning - Allow-from isn't supported by all browsers (https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options)
I just read that adding "skip_before_filter :verify_authenticity_token"
will lead to serious security problem. How do I solve this?
Skipping the authenticity token means that a 3rd party can trick one of your users into loading https://www.helloabc.com/hello (for example, if they visit a page with an image whose src is set to that). Furthermore, if the user is logged in, then the that request is made with those users credentials.
This is not necessarily a problem: for example if your hellojson action doesn't require authentication in the first place, then you've not enabled the attacker to do anything they can't already do.
It's not clear to me what the iframe has to do with all this - is the relevance just that since your session cookie is a 3rd party cookie, it's not being saved?
Fred
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/4f1966c2-e9d6-47d0-9836-b45eaebdca27%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment