ActionController::InvalidCrossOriginRequest after redirect in rails >= 4.1 #130
Comments
|
Just ran into this as well -- did you find a better workaround @MGotink? Or are you still just disabling protection for that action. |
|
I'm still disabling the CSRF protection for that specific action: |
|
👍 thanks! I'll continue doing the same. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm getting a ActionController::InvalidCrossOriginRequest exception when I try to redirect to another URL after the file upload.
Since rails 4.1 GET requests with javascript responses are now also covered by CSRF protection: https://github.com/rails/rails/blob/v4.2.2/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L219-L227
It looks like that because the X-Requested-With header is not set in the header (only in the form data) the browser won't use it as a header in the redirected request, triggering the InvalidCrossOriginRequest.
A sample application demonstrating the issue can be found here: https://github.com/MGotink/remotipart-redirect-demo
For now i've disabled forgery protection for the specific action. It would be nice if this wouldn't be necessary, but as far as I can see that might not be possible with the current solution of uploading the files.
The text was updated successfully, but these errors were encountered: