Add CSRF protection to Omniauth requests

More info: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9284 https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
2019-11-09 16:16:47 +01:00
parent 11adacfdb9
commit c4ebea27a7
3 changed files with 22 additions and 11 deletions
--- a/app/views/devise/_omniauth_form.html.erb
+++ b/app/views/devise/_omniauth_form.html.erb
@@ -12,7 +12,8 @@
        <div class="small-12 medium-6 large-4 column end">
          <%= link_to t("omniauth.twitter.name"), user_twitter_omniauth_authorize_path,
                      title: t("omniauth.twitter.sign_in"),
-                      class: "button-twitter button expanded" %>
+                      class: "button-twitter button expanded",
+                      method: :post %>
        </div>
      <% end %>

@@ -20,7 +21,8 @@
        <div class="small-12 medium-6 large-4 column end">
          <%= link_to t("omniauth.facebook.name"), user_facebook_omniauth_authorize_path,
                      title: t("omniauth.facebook.sign_in"),
-                      class: "button-facebook button expanded" %>
+                      class: "button-facebook button expanded",
+                      method: :post %>
        </div>
      <% end %>

@@ -28,7 +30,8 @@
        <div class="small-12 medium-6 large-4 column end">
          <%= link_to t("omniauth.google_oauth2.name"), user_google_oauth2_omniauth_authorize_path,
                      title: t("omniauth.google_oauth2.sign_in"),
-                      class: "button-google button expanded" %>
+                      class: "button-google button expanded",
+                      method: :post %>
        </div>
      <% end %>

@@ -49,7 +52,8 @@
        <div class="small-12 medium-6 large-4 column end">
          <%= link_to t("omniauth.twitter.name"), user_twitter_omniauth_authorize_path,
                      title: t("omniauth.twitter.sign_up"),
-                      class: "button-twitter button expanded" %>
+                      class: "button-twitter button expanded",
+                      method: :post %>
        </div>
      <% end %>

@@ -57,7 +61,8 @@
        <div class="small-12 medium-6 large-4 column end">
          <%= link_to t("omniauth.facebook.name"), user_facebook_omniauth_authorize_path,
                      title: t("omniauth.facebook.sign_up"),
-                      class: "button-facebook button expanded" %>
+                      class: "button-facebook button expanded",
+                      method: :post %>
        </div>
      <% end %>

@@ -65,7 +70,8 @@
        <div class="small-12 medium-6 large-4 column end">
          <%= link_to t("omniauth.google_oauth2.name"), user_google_oauth2_omniauth_authorize_path,
                      title: t("omniauth.google_oauth2.sign_up"),
-                      class: "button-google button expanded" %>
+                      class: "button-google button expanded",
+                      method: :post %>
        </div>
      <% end %>