提交 · 00dad0343b3aa6cf019afe3c727d4a3d95ddc383 · 张重言 / rails

05 1月, 2015 1 次提交
- J
  Document all options for protect_from_forgery. · 24d48dfc
  由 Josef Šimánek 提交于 1月 04, 2015
```
[ci skip]
```
  24d48dfc
20 12月, 2014 1 次提交
- A
  Merge pull request #18102 from arthurnn/nodoc_constant · e4f015e4
  由 Arthur Nogueira Neves 提交于 12月 19, 2014
```
Add nodoc to some constants [skip ci]
```
  e4f015e4
24 10月, 2014 1 次提交
- G
  
  Use AS secure_compare for CSRF token comparison · 0073d274
  由 Guillermo Iguaran 提交于 10月 23, 2014
  
  0073d274
20 8月, 2014 1 次提交

Auth token mask from breach-mitigation-rails gem · 69fc0e1b

由 Bradley Buda 提交于 8月 19, 2014

This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.

The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.

69fc0e1b

09 8月, 2014 1 次提交
- H
  Uppercase HTML in docs. · 71c7fd10
  由 Hendy Tanata 提交于 8月 08, 2014
```
[skip ci]
```
  71c7fd10
28 7月, 2014 1 次提交
- D
  
  Fix protect_from_forgery docs · dce49f83
  由 David Albert 提交于 7月 24, 2014
  
  dce49f83
06 5月, 2014 1 次提交
- T
  
  Moved 'params[request_forgery_protection_token]' into its own method and improved tests. · 7d5a858e
  由 Tom Kadwill 提交于 5月 02, 2014
  
  7d5a858e
05 3月, 2014 1 次提交

Make CSRF failure logging optional/configurable. · 67584c6a

由 John Barton (joho) 提交于 3月 05, 2014

Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.

67584c6a

18 12月, 2013 2 次提交
- J
  
  Clearly limit new CSRF protection to GET requests · 4f4fdd64
  由 Jeremy Kemper 提交于 12月 17, 2013
  
  4f4fdd64
- J
  CSRF protection from cross-origin <script> tags · 1650bb3d
  由 Jeremy Kemper 提交于 12月 12, 2013
```
Thanks to @homakov for sounding the alarm about JSONP-style data leaking
```
  1650bb3d
19 9月, 2013 1 次提交
- J
  NullSessionHash#destroy should be a no-op · 0f3124dd
  由 Jonathan Baudanza 提交于 9月 18, 2013
```
Previously it was raising a NilException
```
  0f3124dd
10 5月, 2013 1 次提交
- W
  
  [ci skip] document protect_against_forgery? method · cd35c190
  由 Weston Platter 提交于 5月 07, 2013
  
  cd35c190
22 2月, 2013 2 次提交
- S
  
  This cache is not needed · c60be72c
  由 Santiago Pastorino 提交于 2月 21, 2013
  
  c60be72c
- S
  
  Use composition to figure out the forgery protection strategy · 765006de
  由 Santiago Pastorino 提交于 2月 21, 2013
  
  765006de
09 2月, 2013 1 次提交
- A
  
  Fix #9168 Initialize NullCookieJar with all options needed for KeyGenerator · 4127332a
  由 Andrey Chernih 提交于 2月 08, 2013
  
  4127332a
26 1月, 2013 1 次提交

Integrate Action Pack with Rack 1.5 · 7d624e0e

由 Carlos Antonio da Silva 提交于 1月 11, 2013

All ActionPack and Railties tests are passing. Closes #8891.

[Carlos Antonio da Silva + Santiago Pastorino]

7d624e0e

23 1月, 2013 1 次提交
- M
  
  Added request.head? to forgery protection code · 2ef138f0
  由 Michiel Sikkes 提交于 1月 22, 2013
  
  2ef138f0
08 12月, 2012 1 次提交
- F
  
  use `_action` instead of `_filter` callbacks · 5fb94ec0
  由 Francesco Rodriguez 提交于 12月 07, 2012
  
  5fb94ec0
04 11月, 2012 1 次提交
- S
  
  Sign cookies using key deriver · 60609bb5
  由 Santiago Pastorino 提交于 10月 31, 2012
  
  60609bb5
28 10月, 2012 1 次提交
- A
  
  Multiple changes to 1,9 hash syntax · 62f273b6
  由 AvnerCohen 提交于 10月 27, 2012
  
  62f273b6
14 9月, 2012 1 次提交
- A
  Build fix for ActionMailer · 5138a303
  由 Arun Agrawal 提交于 9月 14, 2012
```
See

http://travis-ci.org/#!/rails/rails/jobs/2444632
```
  5138a303
13 9月, 2012 1 次提交

Implement :null_session CSRF protection method · 95be790e

由 Sergey Nartimov 提交于 9月 13, 2012

It's further work on CSRF after 24594110.

The :null_session CSRF protection method provide an empty session during
request processing but doesn't reset it completely (as :reset_session
does).

95be790e

03 8月, 2012 1 次提交
- X
  
  load active_support/core_ext/class/attribute in active_support/rails · 5e1b9204
  由 Xavier Noria 提交于 8月 02, 2012
  
  5e1b9204
15 6月, 2012 1 次提交
- V
  
  copy editing [ci skip] · 6efc5bf4
  由 Vijay Dev 提交于 6月 14, 2012
  
  6efc5bf4
08 6月, 2012 3 次提交
- D
  
  on CSRF whitelisting the argument for :if must be a symbol · 5c17aa51
  由 Daniel Lopes 提交于 6月 07, 2012
  
  5c17aa51
- D
  
  fix typos on the CSRF whitelisting doc · faf27445
  由 Daniel Lopes 提交于 6月 07, 2012
  
  faf27445
- D
  
  Document the CSRF whitelisting on get requests · 39856627
  由 Daniel Lopes 提交于 6月 07, 2012
  
  39856627
15 5月, 2012 1 次提交
- F
  
  Removing ==Examples and last blank lines of docs from actionpack · fc0391ff
  由 Francesco Rodriguez 提交于 5月 15, 2012
  
  fc0391ff
29 3月, 2012 1 次提交
- T
  
  CSRF messages are no longer controlled by 422.html because InvalidAuthenticityToken is not raised · e8108433
  由 Tony Primerano 提交于 3月 28, 2012
  
  e8108433
10 3月, 2012 1 次提交

configure how unverified request will be handled · 24594110

由 Sergey Nartimov 提交于 3月 09, 2012

can be configured using `:with` option in `protect_from_forgery` method
or `request_forgery_protection_method` config option

possible values:
- :reset_session (default)
- :exception

new applications are generated with:

    protect_from_forgery :with => :exception

24594110

06 1月, 2012 1 次提交
- K
  
  removed warning because logger.warn differentiate the warings · 93ec400e
  由 Karunakar (Ruby) 提交于 1月 05, 2012
  
  93ec400e
10 9月, 2011 1 次提交
- M
  
  Change log level for CSRF token verification warning · 7fb99e57
  由 Mike Dillon 提交于 9月 02, 2011
  
  7fb99e57
24 7月, 2011 1 次提交
- O
  Changed a few instances of of words in the API docs written in British English to · 71d18ce4
  由 Oemuer Oezkir 提交于 7月 24, 2011
```
American English(according to Weber)
```
  71d18ce4
11 7月, 2011 1 次提交
- V
  
  TODO fix explicitly loading exceptations, autoload removed · 525fd3ac
  由 Vishnu Atrai 提交于 6月 29, 2011
  
  525fd3ac
02 7月, 2011 1 次提交
- V
  
  document handle_unverified_request method · 2949e30a
  由 Vijay Dev 提交于 7月 02, 2011
  
  2949e30a
01 7月, 2011 1 次提交
- V
  
  update doc about resetting the session in case of authenticity token mismatch · 5fe67fa7
  由 Vijay Dev 提交于 7月 01, 2011
  
  5fe67fa7
24 5月, 2011 2 次提交
- S
  
  Remove extra white spaces on ActionPack docs. · fcdb5dc5
  由 Sebastian Martinez 提交于 5月 23, 2011
  
  fcdb5dc5
- J
  Replace references to ActiveSupport::SecureRandom with just SecureRandom, and... · d411c85a
  由 Jon Leighton 提交于 5月 23, 2011
```
Replace references to ActiveSupport::SecureRandom with just SecureRandom, and require 'securerandom' from the stdlib when active support is required.
```
  d411c85a
09 5月, 2011 1 次提交
- J
  
  Warn if we cannot verify CSRF token authenticity · 59705dee
  由 José Valim 提交于 5月 09, 2011
  
  59705dee
23 2月, 2011 1 次提交
- M
  
  Prepend the CSRF filter to make it much more difficult to execute application code before it fires. · 3d907a68
  由 Michael Koziarski 提交于 2月 23, 2011
  
  3d907a68