12

Some point after I upgraded from Rails 3.2 to Rails 4.1, I started getting the following errors:

ActionController::InvalidCrossOriginRequest: Security warning: an embedded tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript

They mainly come from Internet Explorer 6 or 8 browsers on Windows XP, and never have accompanying user info, even though they're accessing a controller action that is only displayed to signed-in users.

How do I fix this issue or resolve it?

(See also a related issue from before upgrading: Why does Rails Fail to access the Session in an Ajax request from Internet Explorer? )

Community
  • 1
  • 1
am-rails
  • 1,463
  • 2
  • 16
  • 40
  • 1
    Check for javascript errors in the javascript console for IE (press F12 and find the "console" tab). I'd bet there are some error(s) that are preventing the normal JS from working like it should in IE. – pdobb May 28 '14 at 02:54
  • Are you accessing your own server, or a different one? – Richard Peck May 28 '14 at 06:27
  • @RichPeck, a javascript file calls my own server. – am-rails May 28 '14 at 13:41
  • I was looking at a related source of CORs issues and made a Q&A here... https://stackoverflow.com/questions/24707336/googlebot-causes-an-invalid-cross-origin-request-cor-on-rails-4-1/24707337#24707337 – Zachary Moshansky Jul 14 '14 at 17:06

1 Answers1

20

As per "CSRF protection from remote tags " from the rails guide:

In the case of tests, where you also doing the client, change from:

get :index, format: :js

To:

xhr :get, :index, format: :js

http://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#csrf-protection-from-remote-script-tags

In the case you want to make this route skip csrf check, white list the route using something like:

protect_from_forgery :except => :create
JAR.JAR.beans
  • 9,668
  • 4
  • 45
  • 57
  • 2
    JAR.JAR.beans, what's the potential security risk by putting this :except => :create? – user938363 Feb 22 '15 at 17:55
  • The error disappears after adding to :except => :new. We are trying to find out what's the potential risks associated with this except. Someone has ideas? – user938363 Feb 22 '15 at 18:05
  • 1
    BTW the error in our app is caused by ajax call to creating a new log. All js code resides in the same app and there is no cross referring as I understand. – user938363 Feb 22 '15 at 18:08