Rails4 Upgrade: Cross Origin Security in js/xhr Requests
After Rails 4 Upgrade, we started getting
ActionController::InvalidCrossOriginRequest Exception almost every minute
Airbrake classified most errors under 2 actions, search and assets url
On asking Google about above error, instantly a new change CSRF protection from cross-origin script tags in Rails 4 for security popped.
Going through the details, source and intent of exception was clear.
As the error is quite on face, there are some measures for workaround and fix.
Solution 1 - We used
Why the first solution ?
- To support mix of http / https on the site, assets url are relative so that browser can fill the protocol as per the page protocol
- bots follow the different convention of prepending page absolute
url to links starting with / and hence the error
- //assets3.xyz.com/all.js becomes xyz.com//assets3.xyz.com/all.js
- it hits the application for request and gets swallowed by application#render_not_found catch all errors
- as .js at-end so interpreted as JS request and new security patch blocks it and boom the EXCEPTION :(
- For search action, it can be resolved with Solution 2 but why to bother if we need to by-pass for assets anyways :P
- Relative Url Link Follow by bots might be resolved by configuration in
- More on this later … cya :)
Enjoy Rails 4 !!!