Improved formatting of csrf_helper and improved test coverage

Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447

[#6228 state:committed]
Signed-off-by: NSantiago Pastorino <santiago@wyeworks.com>

Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers.

[#6228 state:committed]
Signed-off-by: NSantiago Pastorino <santiago@wyeworks.com>

get csrf_meta_tag back to the generated layout in deference to existing printed material, chomp also the generated HTML to be faithful to the output before the refactor

revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty

code gardening: we have assert_(nil|blank|present), more concise, with better default failure messages - let's use them

Cleanup route reloading in tests. Prefer with_routing over using ActionController::Routing::Routes directly

[#1617 state:resolved]

This deprecates the use of :secret and :digest which were only needed when we were hashing session ids.

Signed-off-by: NMichael Koziarski <michael@koziarski.com>

The session is used by the form_authenticity_token method before it is
tested to be valid.  This patch moves a few lines around so that the
session is validated first.

Without this patch, if you try to use forgery protection with sessions
turned off, you get this exception message:

  undefined method `session_id' for {}:Hash

The patch includes a test that can be used to see this behavior before
the request_forgery_protection.rb file is patched to fix it.

Change the request forgery protection to go by Content-Type instead of request.format so that you can't bypass it by POSTing to "#{request.uri}.xml" [#73 state:resolved]

Don't append the forgery token to an ajax request if it's serializing a form, prevents duplicate tokens. Closes #10684 [macournoyer]


git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8598 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@8564 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7719 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

Better error messages if you leave out the :secret option for request forgery protection.  Closes #9670 [rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7671 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7670 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

Allow ability to disable request forgery protection, disable it in test mode by default.  Closes #9693 [lifofifo]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7668 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7636 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7623 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

Rename some RequestForgeryProtection methods.  The class method is now #protect_from_forgery, and the default parameter is now 'authenticity_token'.  [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7596 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

Merge csrf_killer plugin into rails.  Adds RequestForgeryProtection model that verifies session-specific _tokens for non-GET requests.  [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7592 5ecf4fe2-1ee6-0310-87b1-e25e094e27de