tag:blogger.com,1999:blog-8508344381521415235.post318604335104106235..comments2024-02-10T02:19:53.889-08:00Comments on Egor Homakov: Do not use RJS-like techniqueshomakovhttp://www.blogger.com/profile/10492045246792330280noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-8508344381521415235.post-88229827211640373442013-12-10T05:28:51.679-08:002013-12-10T05:28:51.679-08:00this PR is completely unrelevant, it's to filt...this PR is completely unrelevant, it's to filter JSONP more strictly.homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-64791015708859697082013-12-10T00:25:46.855-08:002013-12-10T00:25:46.855-08:00I thought this one: https://github.com/rails/rails...I thought this one: https://github.com/rails/rails/pull/9075<br />But I probably misunderstood what you wrote.martin.povolnyhttps://www.blogger.com/profile/18314427730695321294noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-88220984576368675172013-12-08T20:29:30.568-08:002013-12-08T20:29:30.568-08:00which pull request? don't know what you're...which pull request? don't know what you're talking abouthomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-53742410527566155902013-12-08T07:22:39.990-08:002013-12-08T07:22:39.990-08:00Hi.
First of all thanks for sharing your findings...Hi.<br /><br />First of all thanks for sharing your findings!<br /><br />I don't get how your pull-request for Rails fixes the problem. I understand that is checks that the callback is present but the attacking side can provide a valid callback and still attack.<br /><br />For example if the affected site sends javascript statements that update the page, such as creates a form, then all you have to do is provide your Element.update or whatever JS framework the site uses.<br /><br />Please, correct me, if I am missing something.martin.povolnyhttps://www.blogger.com/profile/18314427730695321294noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-34730248626337375472013-08-28T05:46:25.610-07:002013-08-28T05:46:25.610-07:00I think RJS is great for prototyping but I wouldn&...I think RJS is great for prototyping but I wouldn't use it for production.Anonymousnoreply@blogger.com