Invalid Cross Origin Request After Upgrading to Rails 4.1

About

Asked 28/5, 2014 at 2:40 Answered 6/10, 2014 at 15:54

ruby-on-rails forms internet-explorer ruby-on-rails-4 antiforgerytoken

Some point after I upgraded from Rails 3.2 to Rails 4.1, I started getting the following errors:

ActionController::InvalidCrossOriginRequest: Security warning: an embedded tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript

They mainly come from Internet Explorer 6 or 8 browsers on Windows XP, and never have accompanying user info, even though they're accessing a controller action that is only displayed to signed-in users.

How do I fix this issue or resolve it?

(See also a related issue from before upgrading: Why does Rails Fail to access the Session in an Ajax request from Internet Explorer? )

Alliber answered 28/5, 2014 at 2:40 Comment(4)

Check for javascript errors in the javascript console for IE (press F12 and find the "console" tab). I'd bet there are some error(s) that are preventing the normal JS from working like it should in IE. – Accountable 28/5, 2014 at 2:54

Are you accessing your own server, or a different one? – Trivandrum 28/5, 2014 at 6:27

@RichPeck, a javascript file calls my own server. – Alliber 28/5, 2014 at 13:41

I was looking at a related source of CORs issues and made a Q&A here... #24707836 – Blackberry 14/7, 2014 at 17:6

As per "CSRF protection from remote tags " from the rails guide:

In the case of tests, where you also doing the client, change from:

get :index, format: :js

To:

xhr :get, :index, format: :js

http://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#csrf-protection-from-remote-script-tags

In the case you want to make this route skip csrf check, white list the route using something like:

protect_from_forgery :except => :create

Psychognosis answered 6/10, 2014 at 15:54 Comment(3)

JAR.JAR.beans, what's the potential security risk by putting this :except => :create? – Prosperity 22/2, 2015 at 17:55

The error disappears after adding to :except => :new. We are trying to find out what's the potential risks associated with this except. Someone has ideas? – Prosperity 22/2, 2015 at 18:5

BTW the error in our app is caused by ajax call to creating a new log. All js code resides in the same app and there is no cross referring as I understand. – Prosperity 22/2, 2015 at 18:8

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags