xmlhttprequest - Sinatra/Thin: CSRF Warning on CORS xhr preflight request -


i've written server handle cross site json requests. it's api meant called ajax. got working, still getting strange warnings.

since of api calls posts, there preflight options request triggers warning (thin output):

127.0.0.1 - - [15/aug/2013 22:24:20] "options /login http/1.1" 200 - 0.0080 w, [2013-08-15t22:24:20.124254 #3236]  warn -- : attack prevented rack::prote ction::httporigin

here's preflight header request causes this:

options /login http/1.1 host: localhost:3000 connection: keep-alive access-control-request-method: post origin: http://localhost:4567 user-agent: mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, gecko) chrome/28.0.1500.95 safari/537.36 access-control-request-headers: origin, content-type accept: */* referer: http://localhost:4567/index.html accept-encoding: gzip,deflate,sdch accept-language: en-us,en;q=0.8

additionally, i'd know warning:

security warning: no secret option provided rack::session::cookie. poses security threat. recommended provide secret prevent exploits may possible crafted cookies. not supported in future versions of rack, , future versions invalidate existing user cookies.

here's server code headers should allowing cors xhr:

enable :sessions  before    headers['access-control-allow-origin'] = 'http://localhost:4567'   headers['access-control-allow-headers'] = 'origin, content-type, accept'   headers['access-control-allow-credentials'] = 'true'    if request.request_method == 'options'     headers["access-control-allow-methods"] = "post, get"     halt 200   end end

this 2 related questions, i'll address them 1 @ time.

  1. according this question looks need provide origin whitelist sinatra. trying protect cross site scripting attacks harm users. however, there cases when want allow cross site scripting occur. can this:

    set :protection, :origin_whitelist => ['http://web.example.com']

    the headers apply user's browser, rack needs permission well. 2 lines of defense. more information, see documentation rack::protection (which sinatra uses here).

  2. the "secret option" error refers setting on rack::session. when use rack::session functionality can pass in secret this:

    use rack::session::cookie, :key => 'rack.session',                            :domain => 'foo.com',                            :path => '/',                            :expire_after => 2592000,                            :secret => 'change_me'

    do above instead of simple enable :sessions. can find documentation rack::session here.


Comments

Post a Comment

Popular posts from this blog

assembly - 8086 TASM: Illegal Indexing Mode -

this question has answer here: illegal use of register in indirect addressing 1 answer i writing 8086 assembly program needs compile through tasm v3.1. running error can not seem fix. my data segment has following set purposes of keyboard input: parao label byte maxo db 5 acto db ? datao db 5 dup('$') what trying first character entered, first byte of datao: lea dx, datao mov bl, [dx] however, when attempt compile, error: **error** h5.asm(152) illegal indexing mode line 152 "mov bl, [dx]" any appreciated. if matters, running tasm through dosbox (my laptop running 64-bit win7) google hasn't come helpful answers. can post entirety of code if necessary. pretty sure reason can't use dx register pointer. try instead using [si], [di] or [bx]: lea bx, data0 mov al, [bx]
Read more

Java, LWJGL, OpenGL 1.1, decoding BufferedImage to Bytebuffer and binding to OpenGL across classes -

i've been attempting solve problem without luck. have 4 classes, main class, object class, sprite class , image loader class. i'm attempting load png using image loader , using method found here: http://www.java-gaming.org/topics/bufferedimage-to-lwjgl-texture/25516/msg/220280/view.html#msg220280 convert bytebuffer, , bind opengl. the image in it's own seperate resource folder. should being drawn this: ( http://i.imgur.com/j8gbu4c.png ) (32x32), i'm seeing white box has dimensions of image, not actual texture. if has idea of go fix i'd appreciate it. i'm new opengl , looking avoid using external library in order learn how actual code works. thanks. updated! to following, implemented suggestion provided vallentin, quad taking color of first pixel in image. i've attempted implementing image loader provided c.s here . i'm receiving error: javax.imageio.iioexception: error reading png image data @ com.sun.imageio.plugins.png.pngimagereader.r...
Read more

javascript - addthis share facebook and google+ url -

i attempting use addthis create simple url shares whichever current page user on when click share button. of right now, have twitter working. when user clicks, able see url populated in tweet box. when user clicks facebook or google+, url doesn't seem show in share box. <ul class="addthis_toolbox addthis_default_style "> <li><a class="addthis_button_facebook"><img src="/img/facebook-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_twitter"><img src="/img/twitter-social.png" width="20" height="20" border="0" alt="share" /></a></li> <li><a class="addthis_button_google_plusone_share"><img src="/img/google-social.png" width="20" height="20" border="0" alt="s...
Read more