Cross-site Request Forgery Prevention on Inside Requests

thiagovidal · July 1, 2010, 1:36pm

Following this topic

http://www.yiiframework.com/doc/guide/topics.security#cross-site-request-forgery-prevention

I enabled the Cross-site Request Forgery Prevention to secure my site.

congif/main.php

…

'components'=&gt;array(


    'request'=&gt;array(


        'enableCsrfValidation'=&gt;true,


    ),


),

…

Now my javascripts doesn’t work properly 'cause they send csrf via code to my controllers. What can I do to use this feature of the framework and get my javascripts working. I know the CHtml:form generates the correct values to send to the controller to prevent this. How can i get this working with get requests?

waylex · July 15, 2010, 11:39am

I Receive A Blank Screen When I Upload My Web Application To A Domain

Following this topic

http://www.yiiframework.com/doc/guide/topics.security#cross-site-request-forgery-prevention

I enabled the Cross-site Request Forgery Prevention to secure my site.

congif/main.php

…
'components'=&gt;array(


    'request'=&gt;array(


        'enableCsrfValidation'=&gt;true,


    ),


),
…

Now my javascripts doesn’t work properly 'cause they send csrf via code to my controllers. What can I do to use this feature of the framework and get my javascripts working. I know the CHtml:form generates the correct values to send to the controller to prevent this. How can i get this working with get requests?

Make your scripts send GET requests instead of POST. This will help.

On the other hand, if you need to post with JavaScript to controllers,

you will need too manually add CSRF token to your posted data. See

CHtml::beginForm for details.

Finally, if you have CSRF enabled and use a kind of service listning

for POST requests from other websites (for example, payment gateways),

you will need to override CHttpRequest and implement exclusions mechanism.

thiagovidal · July 15, 2010, 2:13pm

Thanks dude. I got it working now.