jszwedko
commented
8 years ago Just ran into this as well -- did you find a better workaround @MGotink? Or are you still just disabling protection for that action.
Open MGotink opened 9 years ago
jszwedko
commented
8 years ago Just ran into this as well -- did you find a better workaround @MGotink? Or are you still just disabling protection for that action.
MGotink
commented
8 years ago I'm still disabling the CSRF protection for that specific action: protect_from_forgery except: :index
jszwedko
commented
8 years ago :+1: thanks! I'll continue doing the same.
I'm getting a ActionController::InvalidCrossOriginRequest exception when I try to redirect to another URL after the file upload.
Since rails 4.1 GET requests with javascript responses are now also covered by CSRF protection: https://github.com/rails/rails/blob/v4.2.2/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L219-L227 It looks like that because the X-Requested-With header is not set in the header (only in the form data) the browser won't use it as a header in the redirected request, triggering the InvalidCrossOriginRequest.
A sample application demonstrating the issue can be found here: https://github.com/MGotink/remotipart-redirect-demo
For now i've disabled forgery protection for the specific action. It would be nice if this wouldn't be necessary, but as far as I can see that might not be possible with the current solution of uploading the files.