Reputation: 753
Fragment caching & CSRF
What is the prefered way to deal with cached forms and CSRF token? Here they propose a JS overwrite of input attribute, but I also want to cache the header.
Upvotes: 5
Views: 570
Answers (2)
Reputation: 8132
this works for me. I just kept this in my application.js and everything work flawlessly.
$.ajaxSetup({
beforeSend: function(xhr) {
var csrf_value = $("meta[name='csrf-token']").attr("content");
xhr.setRequestHeader("X-CSRF-Token", csrf_value );
},
});
Upvotes: 1
Reputation: 10268
Here is an article describing different methods: http://www.fastly.com/blog/Caching-the-Uncacheable-CSRF-security/.
A short summary:
- Using ESI (Edge Side Includes): render a placeholder in Rails which you fill with the CSRF token later.
- Including the CSRF token in a cookie and copy it into the form via javascript.
- Fetch the token in a separate AJAX request and copy it into the form via javascript.
My take:
You need to set up special infrastructure for using ESI, so I do not like that solution. AJAX requests are slow and a lot of network overhead, so I do not like that solution as well... So I would go with the cookie solution or with the JS solution you already mentioned, since these are the simplest solutions.
Upvotes: 6
Related Questions
- rails fragment cache store
- rails leaving out some parts from fragment caching
- rails 4 fragment caching for different views
- Rails fragment caching with dynamic content
- ruby on rails 3.1 fragment caching
- How to cache dynamic fragments in Rails?
- Fragment caching with Touch
- Does Rails' fragment caching suit this problem?
- Fragment Caching In Rails 3
- Fragment caching