ActionPack: Security

The Rails 2.0 Preview Release is available now, which is great news. The announcement includes a paragraph on security:

  • "we now ship we a built-in mechanism for dealing with CRSF attacks", yes it works fine
  • "The old TextHelper#sanitize method has gone from a black list (very hard to keep secure) approach to a white list approach." Very good news. This is in fact the white_list plugin which has been merged. A test with my private XSS list worked fine. It even has an easier way to allow tags directly in the method:
    sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
  • "Finally, we’ve added support for HTTP only cookies. They are not yet supported by all browsers, but you can use them where they are." Http only cookies can be used from IE v6.SP1 and recently Firefox v2.0.0.5. Http only cookies cannot be accessed by document.cookie anymore. However, you have to keep in mind that there are other ways to get the cookie. But still, it shuts down the most obvious way of getting at the cookies.