Some point after I upgraded from Rails 3.2 to Rails 4.1, I started getting the following errors:
ActionController::InvalidCrossOriginRequest: Security warning: an embedded tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript
They mainly come from Internet Explorer 6 or 8 browsers on Windows XP, and never have accompanying user info, even though they're accessing a controller action that is only displayed to signed-in users.
How do I fix this issue or resolve it?
(See also a related issue from before upgrading: Why does Rails Fail to access the Session in an Ajax request from Internet Explorer? )
As per "CSRF protection from remote tags " from the rails guide:
In the case of tests, where you also doing the client, change from:
get :index, format: :js
To:
xhr :get, :index, format: :js
http://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#csrf-protection-from-remote-script-tags
In the case you want to make this route skip csrf check, white list the route using something like:
protect_from_forgery :except => :create
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With