Ruby on Rails Tuesday, May 24, 2016

I have a search view which collects a search term from a user and then passes them to the search result view.  The results view is constructed in two parts:

1) basic server side rendering which builds the overall structure of the page and includes a search form
2) ActionCable delivers rendered search results after the longish running search has completed, these views also contain a form

The form from bullet 1 works as expected.  The form(s) from bullet 2 fail CSRF checks.

My understanding is that CSRF tokens are added to the session when the page is rendered.  As such, the first form works as it has reference to the session.  The forms generated in bullet 2 are done so by ActiveJob and then the rendered view is delivered to the browser via ActionCable.  I believe that there is no session mapping here.

Can anyone suggest a good approach to correctly allowing form submission with CSRF prevention in place on a form delivered asynchronously from an ActiveJob via ActionCable?

I know I can get the browser to re-write the async tokens with javascript but that feels like quite a hack.

Thanks,
Dave 

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/9caa4214-58db-4547-8c30-d458531c7cf8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

No comments:

Post a Comment