* attack prevented by Rack::Protection::RemoteToken
@ 2011-12-08 15:29 oilpastels
2011-12-08 17:20 ` Evgeni Dzhelyov
2011-12-08 21:24 ` mateo
0 siblings, 2 replies; 5+ messages in thread
From: oilpastels @ 2011-12-08 15:29 UTC (permalink / raw)
To: Rack Development
I have a sinatra app that works fine on Heroku, but when requested as
a page tab on facebook returns blank, and the logs read "attack
prevented by Rack::Protection::RemoteToken". What is this about?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: attack prevented by Rack::Protection::RemoteToken
2011-12-08 15:29 attack prevented by Rack::Protection::RemoteToken oilpastels
@ 2011-12-08 17:20 ` Evgeni Dzhelyov
2011-12-08 21:24 ` mateo
1 sibling, 0 replies; 5+ messages in thread
From: Evgeni Dzhelyov @ 2011-12-08 17:20 UTC (permalink / raw)
To: rack-devel
https://github.com/rkh/rack-protection/blob/master/lib/rack/protection/remote_token.rb
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: attack prevented by Rack::Protection::RemoteToken
2011-12-08 15:29 attack prevented by Rack::Protection::RemoteToken oilpastels
2011-12-08 17:20 ` Evgeni Dzhelyov
@ 2011-12-08 21:24 ` mateo
2011-12-08 23:54 ` oilpastels
1 sibling, 1 reply; 5+ messages in thread
From: mateo @ 2011-12-08 21:24 UTC (permalink / raw)
To: Rack Development
Facebook requests pages via POST, and since the referrer is different,
it's tripping up your app's CSRF protection
On Dec 8, 10:29 am, oilpastels <resple...@gmail.com> wrote:
> I have a sinatra app that works fine on Heroku, but when requested as
> a page tab on facebook returns blank, and the logs read "attack
> prevented by Rack::Protection::RemoteToken". What is this about?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: attack prevented by Rack::Protection::RemoteToken
2011-12-08 21:24 ` mateo
@ 2011-12-08 23:54 ` oilpastels
2012-02-24 13:50 ` vzmind
0 siblings, 1 reply; 5+ messages in thread
From: oilpastels @ 2011-12-08 23:54 UTC (permalink / raw)
To: Rack Development
The problem is exactly what mateo described. I spoke with Konstantin
Haase, the maintainer of the rack-protection gem referenced by Evgeni
above, and he instructed me to:
> set :protection, :except => [:remote_token, :frame_options]
And it worked.
On Dec 8, 7:24 pm, mateo <mateo.mur...@gmail.com> wrote:
> Facebook requests pages via POST, and since the referrer is different,
> it's tripping up your app's CSRF protection
>
> On Dec 8, 10:29 am, oilpastels <resple...@gmail.com> wrote:
>
>
>
>
>
>
>
> > I have a sinatra app that works fine on Heroku, but when requested as
> > a page tab on facebook returns blank, and the logs read "attack
> > prevented by Rack::Protection::RemoteToken". What is this about?
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: attack prevented by Rack::Protection::RemoteToken
2011-12-08 23:54 ` oilpastels
@ 2012-02-24 13:50 ` vzmind
0 siblings, 0 replies; 5+ messages in thread
From: vzmind @ 2012-02-24 13:50 UTC (permalink / raw)
To: rack-devel
[-- Attachment #1: Type: text/plain, Size: 131 bytes --]
I confirm that solve such issue. Just add
set :protection, :except => [:remote_token, :frame_options]
to your config.ru
----Tks
[-- Attachment #2: Type: text/html, Size: 149 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-02-24 15:21 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-12-08 15:29 attack prevented by Rack::Protection::RemoteToken oilpastels
2011-12-08 17:20 ` Evgeni Dzhelyov
2011-12-08 21:24 ` mateo
2011-12-08 23:54 ` oilpastels
2012-02-24 13:50 ` vzmind
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).