AnsweredAssumed Answered

CSRF issues with serving global JS files

Question asked by joe hobson on Sep 21, 2017
Latest reply on Mar 23, 2018 by Stuart Ryan

I run an open source (self-hosted) Canvas system deployed on two front-end servers through a load balancer. I'd like to use global js and css files (styling, Google Analytics tracking, etc). After I add a global JS file in the theme editor, I get a 422 error in my browser console when loading a page (for /accounts/1/files/12345/download?verifier=<redacted>). The canvas log shows this error:

 

ActionController::InvalidCrossOriginRequest (Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.): 

/var/canvas/vendor/bundle/ruby/2.4.0/gems/actionpack-5.0.2/lib/action_controller/metal/request_forgery_protection.rb:239:in `verify_same_origin_request'

 

Anything special I need to do in Canvas or my nginx or load balancer configs to make it all happy? I'd like to avoid disabling forgery protection. I am not using a files_domain or S3 file hosting.

 

Thanks! ... .joe

Outcomes