mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Change 'a HTTP' to 'an HTTP' [ci skip]
This commit is contained in:
parent
4328e4b593
commit
ea36c579c6
7 changed files with 12 additions and 12 deletions
|
@ -185,7 +185,7 @@ module ActionController
|
|||
!request.fresh?(response)
|
||||
end
|
||||
|
||||
# Sets a HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
|
||||
# Sets an HTTP 1.1 Cache-Control header. Defaults to issuing a +private+
|
||||
# instruction, so that intermediate caches must not cache the response.
|
||||
#
|
||||
# expires_in 20.minutes
|
||||
|
@ -195,7 +195,7 @@ module ActionController
|
|||
# This method will overwrite an existing Cache-Control header.
|
||||
# See http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for more possibilities.
|
||||
#
|
||||
# The method will also ensure a HTTP Date header for client compatibility.
|
||||
# The method will also ensure an HTTP Date header for client compatibility.
|
||||
def expires_in(seconds, options = {})
|
||||
response.cache_control.merge!(
|
||||
:max_age => seconds,
|
||||
|
@ -208,7 +208,7 @@ module ActionController
|
|||
response.date = Time.now unless response.date?
|
||||
end
|
||||
|
||||
# Sets a HTTP 1.1 Cache-Control header of <tt>no-cache</tt> so no caching should
|
||||
# Sets an HTTP 1.1 Cache-Control header of <tt>no-cache</tt> so no caching should
|
||||
# occur by the browser or intermediate caches (like caching proxy servers).
|
||||
def expires_now
|
||||
response.cache_control.replace(:no_cache => true)
|
||||
|
@ -216,7 +216,7 @@ module ActionController
|
|||
|
||||
# Cache or yield the block. The cache is supposed to never expire.
|
||||
#
|
||||
# You can use this method when you have a HTTP response that never changes,
|
||||
# You can use this method when you have an HTTP response that never changes,
|
||||
# and the browser and proxies should cache it indefinitely.
|
||||
#
|
||||
# * +public+: By default, HTTP responses are private, cached only on the
|
||||
|
|
|
@ -428,7 +428,7 @@ module ActionController
|
|||
end
|
||||
alias xhr :xml_http_request
|
||||
|
||||
# Simulate a HTTP request to +action+ by specifying request method,
|
||||
# Simulate an HTTP request to +action+ by specifying request method,
|
||||
# parameters and set/volley the response.
|
||||
#
|
||||
# - +action+: The controller action to call.
|
||||
|
|
|
@ -115,7 +115,7 @@ module ActionDispatch
|
|||
|
||||
private
|
||||
|
||||
# Converts a HTTP header name to an environment variable name if it is
|
||||
# Converts an HTTP header name to an environment variable name if it is
|
||||
# not contained within the headers hash.
|
||||
def env_name(key)
|
||||
key = key.to_s
|
||||
|
|
|
@ -117,7 +117,7 @@ module ActionDispatch
|
|||
# # Tests a route, providing a defaults hash
|
||||
# assert_routing 'controller/action/9', {id: "9", item: "square"}, {controller: "controller", action: "action"}, {}, {item: "square"}
|
||||
#
|
||||
# # Tests a route with a HTTP method
|
||||
# # Tests a route with an HTTP method
|
||||
# assert_routing({ method: 'put', path: '/product/321' }, { controller: "product", action: "update", id: "321" })
|
||||
def assert_routing(path, options, defaults={}, extras={}, message=nil)
|
||||
assert_recognizes(options, path, extras, message)
|
||||
|
|
|
@ -700,7 +700,7 @@ This would detect that there are no books with the specified ID, populate the `@
|
|||
|
||||
### Using `head` To Build Header-Only Responses
|
||||
|
||||
The `head` method can be used to send responses with only headers to the browser. The `head` method accepts a number or symbol (see [reference table](#the-status-option)) representing a HTTP status code. The options argument is interpreted as a hash of header names and values. For example, you can return only an error header:
|
||||
The `head` method can be used to send responses with only headers to the browser. The `head` method accepts a number or symbol (see [reference table](#the-status-option)) representing an HTTP status code. The options argument is interpreted as a hash of header names and values. For example, you can return only an error header:
|
||||
|
||||
```ruby
|
||||
head :bad_request
|
||||
|
|
|
@ -381,7 +381,7 @@ Refer to the Injection section for countermeasures against XSS. It is _recommend
|
|||
|
||||
**CSRF** Cross-Site Request Forgery (CSRF), also known as Cross-Site Reference Forgery (XSRF), is a gigantic attack method, it allows the attacker to do everything the administrator or Intranet user may do. As you have already seen above how CSRF works, here are a few examples of what attackers can do in the Intranet or admin interface.
|
||||
|
||||
A real-world example is a [router reconfiguration by CSRF](http://www.h-online.com/security/news/item/Symantec-reports-first-active-attack-on-a-DSL-router-735883.html). The attackers sent a malicious e-mail, with CSRF in it, to Mexican users. The e-mail claimed there was an e-card waiting for the user, but it also contained an image tag that resulted in a HTTP-GET request to reconfigure the user's router (which is a popular model in Mexico). The request changed the DNS-settings so that requests to a Mexico-based banking site would be mapped to the attacker's site. Everyone who accessed the banking site through that router saw the attacker's fake web site and had their credentials stolen.
|
||||
A real-world example is a [router reconfiguration by CSRF](http://www.h-online.com/security/news/item/Symantec-reports-first-active-attack-on-a-DSL-router-735883.html). The attackers sent a malicious e-mail, with CSRF in it, to Mexican users. The e-mail claimed there was an e-card waiting for the user, but it also contained an image tag that resulted in an HTTP-GET request to reconfigure the user's router (which is a popular model in Mexico). The request changed the DNS-settings so that requests to a Mexico-based banking site would be mapped to the attacker's site. Everyone who accessed the banking site through that router saw the attacker's fake web site and had their credentials stolen.
|
||||
|
||||
Another example changed Google Adsense's e-mail address and password. If the victim was logged into Google Adsense, the administration interface for Google advertisement campaigns, an attacker could change the credentials of the victim.
|
||||
|
||||
|
@ -453,7 +453,7 @@ However, the attacker may also take over the account by changing the e-mail addr
|
|||
|
||||
#### Other
|
||||
|
||||
Depending on your web application, there may be more ways to hijack the user's account. In many cases CSRF and XSS will help to do so. For example, as in a CSRF vulnerability in [Google Mail](http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/). In this proof-of-concept attack, the victim would have been lured to a web site controlled by the attacker. On that site is a crafted IMG-tag which results in a HTTP GET request that changes the filter settings of Google Mail. If the victim was logged in to Google Mail, the attacker would change the filters to forward all e-mails to their e-mail address. This is nearly as harmful as hijacking the entire account. As a countermeasure, _review your application logic and eliminate all XSS and CSRF vulnerabilities_.
|
||||
Depending on your web application, there may be more ways to hijack the user's account. In many cases CSRF and XSS will help to do so. For example, as in a CSRF vulnerability in [Google Mail](http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/). In this proof-of-concept attack, the victim would have been lured to a web site controlled by the attacker. On that site is a crafted IMG-tag which results in an HTTP GET request that changes the filter settings of Google Mail. If the victim was logged in to Google Mail, the attacker would change the filters to forward all e-mails to their e-mail address. This is nearly as harmful as hijacking the entire account. As a countermeasure, _review your application logic and eliminate all XSS and CSRF vulnerabilities_.
|
||||
|
||||
### CAPTCHAs
|
||||
|
||||
|
@ -466,7 +466,7 @@ The problem with CAPTCHAs is that they have a negative impact on the user experi
|
|||
|
||||
Most bots are really dumb. They crawl the web and put their spam into every form's field they can find. Negative CAPTCHAs take advantage of that and include a "honeypot" field in the form which will be hidden from the human user by CSS or JavaScript.
|
||||
|
||||
Note that negative CAPTCHAs are only effective against dumb bots and won't suffice to protect critical applications from targeted bots. Still, the negative and positive CAPTCHAs can be combined to increase the performance, e.g., if the "honeypot" field is not empty (bot detected), you won't need to verify the positive CAPTCHA, which would require a HTTPS request to Google ReCaptcha before computing the response.
|
||||
Note that negative CAPTCHAs are only effective against dumb bots and won't suffice to protect critical applications from targeted bots. Still, the negative and positive CAPTCHAs can be combined to increase the performance, e.g., if the "honeypot" field is not empty (bot detected), you won't need to verify the positive CAPTCHA, which would require an HTTPS request to Google ReCaptcha before computing the response.
|
||||
|
||||
Here are some ideas how to hide honeypot fields by JavaScript and/or CSS:
|
||||
|
||||
|
|
|
@ -798,7 +798,7 @@ and
|
|||
can be set directly on the `@request` instance variable:
|
||||
|
||||
```ruby
|
||||
# setting a HTTP Header
|
||||
# setting an HTTP Header
|
||||
@request.headers["Accept"] = "text/plain, text/html"
|
||||
get articles_url # simulate the request with custom header
|
||||
|
||||
|
|
Loading…
Reference in a new issue