rack-devel archive mirror (unofficial) https://groups.google.com/group/rack-devel
 help / color / mirror / code / Atom feed
* attack prevented by Rack::Protection::RemoteToken
@ 2011-12-08 15:29 oilpastels
  2011-12-08 17:20 ` Evgeni Dzhelyov
  2011-12-08 21:24 ` mateo
  0 siblings, 2 replies; 5+ messages in thread
From: oilpastels @ 2011-12-08 15:29 UTC (permalink / raw)
  To: Rack Development

I have a sinatra app that works fine on Heroku, but when requested as
a page tab on facebook returns blank, and the logs read "attack
prevented by Rack::Protection::RemoteToken". What is this about?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: attack prevented by Rack::Protection::RemoteToken
  2011-12-08 15:29 attack prevented by Rack::Protection::RemoteToken oilpastels
@ 2011-12-08 17:20 ` Evgeni Dzhelyov
  2011-12-08 21:24 ` mateo
  1 sibling, 0 replies; 5+ messages in thread
From: Evgeni Dzhelyov @ 2011-12-08 17:20 UTC (permalink / raw)
  To: rack-devel

https://github.com/rkh/rack-protection/blob/master/lib/rack/protection/remote_token.rb

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: attack prevented by Rack::Protection::RemoteToken
  2011-12-08 15:29 attack prevented by Rack::Protection::RemoteToken oilpastels
  2011-12-08 17:20 ` Evgeni Dzhelyov
@ 2011-12-08 21:24 ` mateo
  2011-12-08 23:54   ` oilpastels
  1 sibling, 1 reply; 5+ messages in thread
From: mateo @ 2011-12-08 21:24 UTC (permalink / raw)
  To: Rack Development

Facebook requests pages via POST, and since the referrer is different,
it's tripping up your app's CSRF protection

On Dec 8, 10:29 am, oilpastels <resple...@gmail.com> wrote:
> I have a sinatra app that works fine on Heroku, but when requested as
> a page tab on facebook returns blank, and the logs read "attack
> prevented by Rack::Protection::RemoteToken". What is this about?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: attack prevented by Rack::Protection::RemoteToken
  2011-12-08 21:24 ` mateo
@ 2011-12-08 23:54   ` oilpastels
  2012-02-24 13:50     ` vzmind
  0 siblings, 1 reply; 5+ messages in thread
From: oilpastels @ 2011-12-08 23:54 UTC (permalink / raw)
  To: Rack Development

The problem is exactly what mateo described. I spoke with Konstantin
Haase, the maintainer of the rack-protection gem referenced by Evgeni
above, and he instructed me to:

> set :protection, :except => [:remote_token, :frame_options]

And it worked.

On Dec 8, 7:24 pm, mateo <mateo.mur...@gmail.com> wrote:
> Facebook requests pages via POST, and since the referrer is different,
> it's tripping up your app's CSRF protection
>
> On Dec 8, 10:29 am, oilpastels <resple...@gmail.com> wrote:
>
>
>
>
>
>
>
> > I have a sinatra app that works fine on Heroku, but when requested as
> > a page tab on facebook returns blank, and the logs read "attack
> > prevented by Rack::Protection::RemoteToken". What is this about?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: attack prevented by Rack::Protection::RemoteToken
  2011-12-08 23:54   ` oilpastels
@ 2012-02-24 13:50     ` vzmind
  0 siblings, 0 replies; 5+ messages in thread
From: vzmind @ 2012-02-24 13:50 UTC (permalink / raw)
  To: rack-devel

[-- Attachment #1: Type: text/plain, Size: 131 bytes --]

I confirm that solve such issue. Just add 
set :protection, :except => [:remote_token, :frame_options] 
to your config.ru

----Tks

[-- Attachment #2: Type: text/html, Size: 149 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2012-02-24 15:21 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-12-08 15:29 attack prevented by Rack::Protection::RemoteToken oilpastels
2011-12-08 17:20 ` Evgeni Dzhelyov
2011-12-08 21:24 ` mateo
2011-12-08 23:54   ` oilpastels
2012-02-24 13:50     ` vzmind

Code repositories for project(s) associated with this inbox:

	https://80x24.org/mirrors/rack.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).