Remote Forgery Protection is a Rails plugin that automatically adds authenticity token to Ajax requests.
Rails protects controller actions from CSRF (Cross-Site Request Forgery) attacks with a token based on a random string stored in the session. The token parameter is named authenticity_token by default and will be embedded in all forms and Ajax requests generated by Rails.
What about hand coded Ajax request? You can manually add authenticity_token parameter to all Ajax requests or you can let Remote Forgery Protection plugin do everything for you.
Supported Javascript libraries: Prototype, jQuery and ExtJS (let me know if you would like to see it working with some other library)
Install the plugin
$ script/plugin install git://github.com/vlado/remote_forgery_protection.git
(Optional but recommended) Generate remote_forgery_protection.js file by running
$ script/generate remote_forgery_protection
Just add this line in your head section
<%= remote_forgery_protection %>
and all future non GET Ajax request will automatically send authenticity_token parameter. You will also have global variable _token to use anywhere in you’re scripts.
This will produce something like
<script type="text/javascript"> window._token = 'somecomplextoken'; </script> <script src="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/javascripts/remote_forgery_protection.js" type="text/javascript"></script>
If file /javascripts/remote_forgery_protection.js doesn’t exist, all the code will be included inline and output will now look like
<script type="text/javascript"> 
  window._token = 'somecomplextoken';
  Ajax.Base.prototype.initialize = Ajax.Base.prototype.initialize.wrap(function() {
    var args = $A(arguments), proceed = args.shift();
    ... some javascript code ...
    proceed.apply(null, args);
  });
  ... some javascript code ..
</script>
You can also force javascript to be included inline by passing :inline => true option
<%= remote_forgery_protection :inline => true %>
Blog post - kolodvor.net/2010/01/02/rails-csrf-and-ajax-requests
Rails documentation - api.rubyonrails.org/classes/ActionController/RequestForgeryProtection/ClassMethods.html
Inspired by - opensoul.org/2008/10/24/ajax-and-request-forgery-protection
You know about XSS. How about XSRF/CSRF? - isc.sans.org/diary.html?storyid=1750
CSRF on Wikipedia - en.wikipedia.org/wiki/Cross-site_request_forgery
Copyright © 2009 Vlado Cingel, released under the MIT license