6: Adding ngGrid, and edit page, and CSRF/JSONP protection

In this, the sixth post in the rails 4 tutorial, we change our clubs list page to use ngGrid instead of our home-made table.  We also implement an edit page for our clubs.  A key difference from the rails 3 version of this tutorial is that we’re implementing our edit page as a page rather than a modal dialog.

If you have dropped into the middle of the tutorial you can find the code from the previous step in this tutorial at github:PaulL:tutorial_5, or you can find those tutorial pages either from the index page, or by hitting the tutorials menu in the menu bar above.

Continue reading


2: Creating the base rails backend

In this portion of the Rails4 and AngularJS tutorial we build the base of the rails backend.  We’ll come back later and add Devise and CanCan to it, for now we’re just focusing on having an application that runs and serves json, at the end of this segment you should end up with a Rails server that is providing clubs.json and teams.json, ready to have the Angular frontend added.

If you’re interested in the rest of this tutorial, you can visit the index page, or you can hit the tutorials menu above and look at the rails 4 tutorial category.  If you haven’t yet installed Rails 4 you may want to look at the previous page on installation, and if you’re fine with the Rails portion, you may want to move onto the next page that starts the AngularJS install.  Finally, the code for the position at the end of this section of the tutorial can be found on github:PaulL:tutorial_1_and_2.

Continue reading

JSON / JSONP XSS vulnerability with AngularJS and Rails

In reading the AngularJS documentation for the $http service, there is a very clear warning about a potential JSON/JSONP vulnerability.  The short version of this is that JSONP was introduced as a technique to build mashups and composite applications, it allows one domain to call services on another domain.

The problem is that JSON is considered syntactically valid JSONP.  So a service that you built as JSON can be called using a JSONP tag.  Further, through some esoteric magic, it is possible for one web site to submit a request to another website using your already signed in session, and then gain access to the response method from javascript on the first site.  In other words, for that first site to have script embedded in it that does things with your logged in session on another website.

The outline description of this can be found on the AngularJS $http page, in the security considerations section.

The CSRF vulnerability mentioned on that page is dealt with in this post on this blog.  This post provides my current solution to the JSON/JSONP issue.

Continue reading