From mboxrd@z Thu Jan  1 00:00:00 1970
Delivered-To: chneukirchen@gmail.com
Received: by 10.229.77.150 with SMTP id g22cs176992qck; Thu, 8 Dec 2011
 15:54:59 -0800 (PST)
Return-Path: <rack-devel+bncCK6X4vnXFBDPnIX3BBoED75DEg@googlegroups.com>
Received-SPF: pass (google.com: domain of
 rack-devel+bncCK6X4vnXFBDPnIX3BBoED75DEg@googlegroups.com designates
 10.236.192.228 as permitted sender) client-ip=10.236.192.228;
Authentication-Results: mr.google.com; spf=pass (google.com: domain of
 rack-devel+bncCK6X4vnXFBDPnIX3BBoED75DEg@googlegroups.com designates
 10.236.192.228 as permitted sender)
 smtp.mail=rack-devel+bncCK6X4vnXFBDPnIX3BBoED75DEg@googlegroups.com;
 dkim=pass header.i=rack-devel+bncCK6X4vnXFBDPnIX3BBoED75DEg@googlegroups.com
Received: from mr.google.com ([10.236.192.228]) by 10.236.192.228 with SMTP
 id i64mr7752948yhn.0.1323388498551 (num_hops = 1); Thu, 08 Dec 2011 15:54:58
 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com;
 s=beta; h=x-beenthere:received-spf:mime-version:date:in-reply-to:references
 :user-agent:x-http-useragent:message-id:subject:from:to
 :x-original-sender:x-original-authentication-results:reply-to
 :precedence:mailing-list:list-id:x-google-group-id:list-post
 :list-help:list-archive:sender:list-subscribe:list-unsubscribe
 :content-type:content-transfer-encoding;
 bh=lIY80Pdbj8DNG8hrrerKsIU9Tk8GY/LebL6CzKZvW4E=;
 b=jLKVfm6xKMvNP5nWSyUUdkmzX0QyNe4RLiuDulJOqkwmZCstwrNKmYMv79JmqKE0se
 vczejuwy607S4a1gSUrMmW9oBAWNdfcq2i88ONPxUir7ayF87CfcWwVxVbGKp58lhlY0
 gSE9a9reNHx7v0KTdrCD4qpjIpohNe5KKNNME=
Received: by 10.236.192.228 with SMTP id i64mr2285416yhn.0.1323388495940;
 Thu, 08 Dec 2011 15:54:55 -0800 (PST)
X-BeenThere: rack-devel@googlegroups.com
Received: by 10.101.88.2 with SMTP id q2ls6262021anl.7.gmail; Thu, 08 Dec
 2011 15:54:55 -0800 (PST)
Received: by 10.101.100.14 with SMTP id c14mr1570663anm.37.1323388495247;
 Thu, 08 Dec 2011 15:54:55 -0800 (PST)
Received: by 10.101.100.14 with SMTP id c14mr1570662anm.37.1323388495232;
 Thu, 08 Dec 2011 15:54:55 -0800 (PST)
Received: from mail-yx0-f185.google.com (mail-yx0-f185.google.com
 [209.85.213.185]) by gmr-mx.google.com with ESMTPS id
 e12si820yba.3.2011.12.08.15.54.55 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 08
 Dec 2011 15:54:55 -0800 (PST)
Received-SPF: pass (google.com: domain of resplence@gmail.com designates
 209.85.213.185 as permitted sender) client-ip=209.85.213.185;
Received: by yenl6 with SMTP id l6so2758118yen.22 for
 <rack-devel@googlegroups.com>; Thu, 08 Dec 2011 15:54:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.236.157.168 with SMTP id o28mr2217254yhk.17.1323388495156;
 Thu, 08 Dec 2011 15:54:55 -0800 (PST)
Received: by e19g2000yqk.googlegroups.com with HTTP; Thu, 8 Dec 2011 15:54:55
 -0800 (PST)
Date: Thu, 8 Dec 2011 15:54:55 -0800 (PST)
In-Reply-To:
 <2bab7814-f4d4-4974-87c2-1fbe3bd546a2@p14g2000yqp.googlegroups.com>
References:
 <07cff8a0-8439-461c-b7f6-804ab417b0f4@l24g2000yqm.googlegroups.com>
 <2bab7814-f4d4-4974-87c2-1fbe3bd546a2@p14g2000yqp.googlegroups.com>
User-Agent: G2/1.0
X-HTTP-UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1)
 Gecko/20100101 Firefox/8.0.1,gzip(gfe)
Message-ID:
 <362bf00c-5025-4dbd-a52f-9c7cda5dcc02@e19g2000yqk.googlegroups.com>
Subject: Re: attack prevented by Rack::Protection::RemoteToken
From: oilpastels <resplence@gmail.com>
To: Rack Development <rack-devel@googlegroups.com>
X-Original-Sender: resplence@gmail.com
X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com:
 domain of resplence@gmail.com designates 209.85.213.185 as permitted sender)
 smtp.mail=resplence@gmail.com
Reply-To: rack-devel@googlegroups.com
Precedence: list
Mailing-list: list rack-devel@googlegroups.com; contact
 rack-devel+owners@googlegroups.com
List-ID: <rack-devel.googlegroups.com>
X-Google-Group-Id: 486215384060
List-Post: <http://groups.google.com/group/rack-devel/post?hl=en_US>,
 <mailto:rack-devel@googlegroups.com>
List-Help: <http://groups.google.com/support/?hl=en_US>,
 <mailto:rack-devel+help@googlegroups.com>
List-Archive: <http://groups.google.com/group/rack-devel?hl=en_US>
Sender: rack-devel@googlegroups.com
List-Subscribe:
 <http://groups.google.com/group/rack-devel/subscribe?hl=en_US>,
 <mailto:rack-devel+subscribe@googlegroups.com>
List-Unsubscribe:
 <http://groups.google.com/group/rack-devel/subscribe?hl=en_US>,
 <mailto:rack-devel+unsubscribe@googlegroups.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

The problem is exactly what mateo described. I spoke with Konstantin
Haase, the maintainer of the rack-protection gem referenced by Evgeni
above, and he instructed me to:

> set :protection, :except =3D> [:remote_token, :frame_options]

And it worked.

On Dec 8, 7:24=A0pm, mateo <mateo.mur...@gmail.com> wrote:
> Facebook requests pages via POST, and since the referrer is different,
> it's tripping up your app's CSRF protection
>
> On Dec 8, 10:29=A0am, oilpastels <resple...@gmail.com> wrote:
>
>
>
>
>
>
>
> > I have a sinatra app that works fine on Heroku, but when requested as
> > a page tab on facebook returns blank, and the logs read "attack
> > prevented by Rack::Protection::RemoteToken". What is this about?