Comments (5)
rafaelfranca
commented on June 7, 2024
This is expected behavior to allow applications to cache the form
from rails.
rbclark
commented on June 7, 2024
Do you mind providing a bit more information on this? I'm not sure I understand the connection to caching here since as far as I understand it the token in the form doesn't expire until the session expires, unless you are talking about caching the rendering of the form for multiple users? More importantly it seems like this behavior defeats the purpose of per_form_csrf_tokens since the lack of a per_form_csrf_token falls back to the token that csrf_meta_tags sets in the header.
In my case I don't cache the form so having the ability to force the form authenticity would be beneficial.
from rails.
rbclark
commented on June 7, 2024
After doing a bit more reading I'm convinced this is still an issue. Looking at the ActionView::Helpers::CsrfHelper docs it states that You donβt need to use these tags for regular forms as they generate their own hidden fields.. So the issue I am running into is that I am using regular forms but since I need csrf_meta_tags for a few places then all of the forms in my app end up using csrf_meta_tags instead of only validating against the per_form_csrf_tag.
from rails.
rafaelfranca
commented on June 7, 2024
Yes. I mean caching the same fork for multiple users using techniques like Russian doll caching. It indeed defeats the per_form_csrf tokens, but at the same time this is how the system was build. Per form tokens were added later, and even when they were added we kept checking the global token as well for compatibility issues.
We can't change this without breaking a lot of applications, that is why it isn't an issue. If you don't want the global tokens to make request legit, you can remove the global csrf_meta_tags from the template and only add to the few places you need it.
from rails.
rbclark
commented on June 7, 2024
Thank you for the clarification! The one issue I would run into with removing csrf_meta_tags globally is that I have some pages that have both types of forms on them. Being able to set protect_from_forgery strict: true or something along those lines and then relaxing it for the routes that need it would be immensely useful. Would you consider a PR for such a change? strict would of course default to false to maintain backwards compatibility.
from rails.
Related Issues (20)
- Possible race condition in postgresql type_map initialization
- rspec tests won't after upgrading from rails 7.1.2 to 7.1.3.2: can't modify frozen Array when requiring environment file HOT 2
- form_with reverting to HTML processing only HOT 5
- Inaccurate docs/comments about ActiveStorage video previewer defaults could be improved HOT 4
- Inconsistent model state when dumped and loaded with Marshal version 7.1 HOT 4
- ActiveRecord connection is checked out/retained despite setting `config.active_record.permanent_connection_checkout = :disallowed` HOT 4
- Default Active Support Logger in Addition to Custom Logger in Rails 7.1 x BroadcastLogger Class in Development environment HOT 1
- Aws::Rails::SqsActiveJob#execute captures StandardError which is too wide HOT 1
- AppGeneratorTest fails because `Could not find gem 'kamal' in locally installed gems.` HOT 1
- `has_one :through` associations ignore preloaded records
- loading credentials key HOT 5
- Different timestamps behaviour with InsertAll HOT 3
- Activerecord: Insert fails on composed_primary_key model with id as not null Identity column
- procfile causes failure on Rails 8.0 HOT 8
- Rails 7.1 changes established database connection after calling `rails db:test:prepare` for multi-database apps HOT 4
- Storage folder seems like it is sometimes not needed
- Storage folder sometimes doesn't need Kamal configuration in Rails 8.0.0.alpha HOT 1
- Content-Type parsing breaks on valid test cases HOT 4
- PostgreSQL Apache AGE Rails (GraphDB driver questions / problems) HOT 6
- s
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rails.