Ticket #11032: ClassMethods.html

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html 
     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
  <title>Module: ActionController::RequestForgeryProtection::ClassMethods</title>
  <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
  <meta http-equiv="Content-Script-Type" content="text/javascript" />
  <style type="text/css" media="screen">
body {
    font-family: Verdana,Arial,Helvetica,sans-serif;
    font-size:   90%;
    margin: 0;
    margin-left: 40px;
    padding: 0;
    background: white;
}

h1,h2,h3,h4 { margin: 0; color: #efefef; background: transparent; }
h1 { font-size: 150%; }
h2,h3,h4 { margin-top: 1em; }

a { background: #eef; color: #039; text-decoration: none; }
a:hover { background: #039; color: #eef; }

/* Override the base stylesheet's Anchor inside a table cell */
td > a {
  background: transparent;
  color: #039;
  text-decoration: none;
}

/* and inside a section title */
.section-title > a {
  background: transparent;
  color: #eee;
  text-decoration: none;
}

/* === Structural elements =================================== */

div#index {
    margin: 0;
    margin-left: -40px;
    padding: 0;
    font-size: 90%;
}


div#index a {
    margin-left: 0.7em;
}

div#index .section-bar {
   margin-left: 0px;
   padding-left: 0.7em;
   background: #ccc;
   font-size: small;
}


div#classHeader, div#fileHeader {
    width: auto;
    color: white;
    padding: 0.5em 1.5em 0.5em 1.5em;
    margin: 0;
    margin-left: -40px;
    border-bottom: 3px solid #006;
}

div#classHeader a, div#fileHeader a {
    background: inherit;
    color: white;
}

div#classHeader td, div#fileHeader td {
    background: inherit;
    color: white;
}


div#fileHeader {
    background: #057;
}

div#classHeader {
    background: #048;
}


.class-name-in-header {
  font-size:  180%;
  font-weight: bold;
}


div#bodyContent {
    padding: 0 1.5em 0 1.5em;
}

div#description {
    padding: 0.5em 1.5em;
    background: #efefef;
    border: 1px dotted #999;
}

div#description h1,h2,h3,h4,h5,h6 {
    color: #125;;
    background: transparent;
}

div#validator-badges {
    text-align: center;
}
div#validator-badges img { border: 0; }

div#copyright {
    color: #333;
    background: #efefef;
    font: 0.75em sans-serif;
    margin-top: 5em;
    margin-bottom: 0;
    padding: 0.5em 2em;
}


/* === Classes =================================== */

table.header-table {
    color: white;
    font-size: small;
}

.type-note {
    font-size: small;
    color: #DEDEDE;
}

.xxsection-bar {
    background: #eee;
    color: #333;
    padding: 3px;
}

.section-bar {
   color: #333;
   border-bottom: 1px solid #999;
    margin-left: -20px;
}


.section-title {
    background: #79a;
    color: #eee;
    padding: 3px;
    margin-top: 2em;
    margin-left: -30px;
    border: 1px solid #999;
}

.top-aligned-row {  vertical-align: top }
.bottom-aligned-row { vertical-align: bottom }

/* --- Context section classes ----------------------- */

.context-row { }
.context-item-name { font-family: monospace; font-weight: bold; color: black; }
.context-item-value { font-size: small; color: #448; }
.context-item-desc { color: #333; padding-left: 2em; }

/* --- Method classes -------------------------- */
.method-detail {
    background: #efefef;
    padding: 0;
    margin-top: 0.5em;
    margin-bottom: 1em;
    border: 1px dotted #ccc;
}
.method-heading {
  color: black;
  background: #ccc;
  border-bottom: 1px solid #666;
  padding: 0.2em 0.5em 0 0.5em;
}
.method-signature { color: black; background: inherit; }
.method-name { font-weight: bold; }
.method-args { font-style: italic; }
.method-description { padding: 0 0.5em 0 0.5em; }

/* --- Source code sections -------------------- */

a.source-toggle { font-size: 90%; }
div.method-source-code {
    background: #262626;
    color: #ffdead;
    margin: 1em;
    padding: 0.5em;
    border: 1px dashed #999;
    overflow: hidden;
}

div.method-source-code pre { color: #ffdead; overflow: hidden; }

/* --- Ruby keyword styles --------------------- */

.standalone-code { background: #221111; color: #ffdead; overflow: hidden; }

.ruby-constant  { color: #7fffd4; background: transparent; }
.ruby-keyword { color: #00ffff; background: transparent; }
.ruby-ivar    { color: #eedd82; background: transparent; }
.ruby-operator  { color: #00ffee; background: transparent; }
.ruby-identifier { color: #ffdead; background: transparent; }
.ruby-node    { color: #ffa07a; background: transparent; }
.ruby-comment { color: #b22222; font-weight: bold; background: transparent; }
.ruby-regexp  { color: #ffa07a; background: transparent; }
.ruby-value   { color: #7fffd4; background: transparent; }
  </style>
  <script type="text/javascript">
  // <![CDATA[

  function popupCode( url ) {
    window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400")
  }

  function toggleCode( id ) {
    if ( document.getElementById )
      elem = document.getElementById( id );
    else if ( document.all )
      elem = eval( "document.all." + id );
    else
      return false;

    elemStyle = elem.style;
    
    if ( elemStyle.display != "block" ) {
      elemStyle.display = "block"
    } else {
      elemStyle.display = "none"
    }

    return true;
  }
  
  // Make codeblocks hidden by default
  document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" )
  
  // ]]>
  </script>

</head>
<body>



    <div id="classHeader">
        <table class="header-table">
        <tr class="top-aligned-row">
          <td><strong>Module</strong></td>
          <td class="class-name-in-header">ActionController::RequestForgeryProtection::ClassMethods</td>
        </tr>
        <tr class="top-aligned-row">
            <td><strong>In:</strong></td>
            <td>
                <a href="../../../files/lib/action_controller/request_forgery_protection_rb.html">
                lib/action_controller/request_forgery_protection.rb
                </a>
        <br />
            </td>
        </tr>

        </table>
    </div>
  <!-- banner header -->

  <div id="bodyContent">



  <div id="contextContent">

    <div id="description">
      <p>
Protecting controller actions from CSRF attacks by ensuring that all forms
are coming from the current web application, not a forged link from another
site, is done by embedding a token based on the session (which an attacker
wouldn&#8216;t know) in all forms and Ajax requests generated by Rails and
then verifying the authenticity of that token in the controller. Only
HTML/JavaScript requests are checked, so this will not protect your XML API
(presumably you&#8216;ll have a different authentication scheme there
anyway). Also, GET requests are not protected as these should be
indempotent anyway.
</p>
<p>
This is turned on with the <tt><a
href="ClassMethods.html#M000009">protect_from_forgery</a></tt> method,
which will check the token and raise an
ActionController::InvalidAuthenticityToken if it doesn&#8216;t match what
was expected. You can customize the error message in production by editing
public/422.html. A call to this method in ApplicationController is
generated by default in post-Rails 2.0 applications.
</p>
<p>
The token parameter is named <tt>authenticity_token</tt> by default. If you
are generating an HTML form manually (without the use of Rails&#8217;
<tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to include
a hidden field named like that and set its value to what is returned by
<tt>form_authenticity_token</tt>. Same applies to manually constructed Ajax
requests. To make the token available through a global variable to scripts
on a certain page, you could add something like this to a view:
</p>
<pre>
  &lt;%= javascript_tag &quot;window._token = '#{form_authenticity_token}'&quot; %&gt;
</pre>
<p>
Request forgery protection is disabled by default in test environment. If
you are upgrading from Rails 1.x, add this to config/environments/test.rb:
</p>
<pre>
  # Disable request forgery protection in test environment
  config.action_controller.allow_forgery_protection = false
</pre>
<h2>Learn more about CSRF (Cross-Site Request Forgery) attacks</h2>
<p>
Here are some resources:
</p>
<ul>
<li><a
href="http://isc.sans.org/diary.html?storyid=1750">isc.sans.org/diary.html?storyid=1750</a>

</li>
<li><a
href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">en.wikipedia.org/wiki/Cross-site_request_forgery</a>

</li>
</ul>
<p>
Keep in mind, this is NOT a silver-bullet, plug &#8216;n&#8217; play, warm
security blanket for your rails application. There are a few guidelines you
should follow:
</p>
<ul>
<li>Keep your GET requests safe and idempotent. More reading material:

<ul>
<li><a
href="http://www.xml.com/pub/a/2002/04/24/deviant.html">www.xml.com/pub/a/2002/04/24/deviant.html</a>

</li>
<li><a
href="http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1">www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1</a>

</li>
</ul>
</li>
<li>Make sure the session cookies that Rails creates are non-persistent. Check
in Firefox and look for &quot;Expires: at end of session&quot;

</li>
</ul>

    </div>


   </div>

    <div id="method-list">
      <h3 class="section-bar">Methods</h3>

      <div class="name-list">
      <a href="#M000009">protect_from_forgery</a>&nbsp;&nbsp;
      </div>
    </div>

  </div>


    <!-- if includes -->

    <div id="section">





      


    <!-- if method_list -->
    <div id="methods">
      <h3 class="section-bar">Public Instance methods</h3>

      <div id="method-M000009" class="method-detail">
        <a name="M000009"></a>

        <div class="method-heading">
          <a href="ClassMethods.src/M000009.html" target="Code" class="method-signature"
            onclick="popupCode('ClassMethods.src/M000009.html');return false;">
          <span class="method-name">protect_from_forgery</span><span class="method-args">(options = {})</span>
          </a>
        </div>
      
        <div class="method-description">
          <p>
Turn on request forgery protection. Bear in mind that only non-GET,
HTML/JavaScript requests are checked.
</p>
<p>
Example:
</p>
<pre>
  class FooController &lt; ApplicationController
    # uses the cookie session store (then you don't need a separate :secret)
    protect_from_forgery :except =&gt; :index

    # uses one of the other session stores that uses a session_id value.
    protect_from_forgery :secret =&gt; 'my-little-pony', :except =&gt; :index

    # you can disable csrf protection on controller-by-controller basis:
    skip_before_filter :verify_authenticity_token
  end
</pre>
<p>
Valid Options:
</p>
<ul>
<li><tt>:only/:except</tt> - passed to the <tt>before_filter</tt> call. Set
which actions are verified.

</li>
<li><tt>:secret</tt> - Custom salt used to generate the
<tt>form_authenticity_token</tt>. Leave this off if you are using the
cookie session store.

</li>
<li><tt>:digest</tt> - Message digest used for hashing. Defaults to
&#8216;SHA1&#8216;

</li>
</ul>
        </div>
      </div>


    </div>


  </div>


<div id="validator-badges">
  <p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p>
</div>

</body>
</html>