codebar / planner / 27333770495

95%

master: 95%

Pull #2641

github

fix: skip CSRF protection for feedback form submission

The feedback form uses a unique secret token in the URL to authenticate
the request. This is sufficient protection against CSRF — an attacker
would need to know the token to submit the form.

However, protect_from_forgery requires a session cookie, which browsers
like Safari withhold when they classify the request as cross-site (e.g.
when a user navigates from a third-party app or Intelligent Tracking
Prevention is active). This causes the form submission to fail with
ActionController::InvalidAuthenticityToken even for legitimate users.

This has caused 82 occurrences in production (Rollbar #535).

Changes:
- Skip CSRF protection on FeedbackController#submit
- Add controller specs covering show, submit, and the CSRF-exempt path

Fixes: https://app.rollbar.com/a/codebar-production/fix/item/codebar-production/535#detail

1 of 1 new or added line in 1 file covered. (100.0%)

3552 of 3726 relevant lines covered (95.33%)

42.37 hits per line