ActionController::InvalidAuthenticityToken error when using firefox
I recently came across “ActionController::InvalidAuthenticityToken” error while working on an ROR application. It kind of threw me off track. I was thinking this error is somehow related to cross-site request forgery and something to do with protect_from_forgery option in application.rb controller. This error would only show up in Firefox and not in IE.
The problem is that Firefox as per standards does not allow form elements to be inserted within the “table” or “tr” elements (You can embed a form within the “td” and it will work). The form functionality gets broken if it is within the “table” or “tr” elements and you can get unpredictable results. The following is a mortgage calculator form. Firefox gave the “ActionController::InvalidAuthenticityToken” error when the remote_form_for helper was used within the table as shown below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | <table class="calc_form"> <% remote_form_for(@calc, :update=>"Calculation", :loading => "$('Calculation').hide();$('loading').show();", :complete => "$('Calculation').show();$('loading').hide();") do |f| %> <tr> <th align="center" colspan="2"> Mortgage Calculator </th> </tr> <tr> <td align="left"><%= f.label "Loan Amount: "%></td> <td><%= f.text_field :balance, :size=>"7" %></td> </tr> <%= f.hidden_field :object_id %> <tr> <td align="left"><%= f.label "Interest rate: " %></td> <td><%= f.text_field :interest_rate, :size=>"2" %></td> </tr> <tr> <td align="left"><%= f.label "Term length: " %></td> <td><%= f.text_field:term_length, :size=>"1"%> yrs</td> </tr> <tr> <td align="left"><%= f.label :payment_type %></td> <td><%= select :calc, :payment_type, ["Biweekly","Monthly"]%></td> </tr> <tr> <td align="left"><%= f.label "First Payment Date"%></td> <td><%= select :calc, :starting_month,months %> <%= select :calc, :starting_year,yrs %></td> </tr> <tr> <td align="left"><%= f.label "Show Amortization Table" %></td> <td><%= f.check_box :do_table%></td> </tr> <tr > <td align="center" colspan="2"><%= f.submit "Calculate" %></td> </tr> <% end %> </table> |
The right way to do it is put the remote_form_for tag outside of table as shown below. I had to spend lot of time figuring this out. IE is very forgiving regarding your mistakes but Firefox catches your mistakes.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 | <% remote_form_for(@calc, :update=>"Calculation", :loading => "$('Calculation').hide();$('loading').show();", :complete => "$('Calculation').show();$('loading').hide();") do |f| %> <table class="calc_form"> <tr> <th align="center" colspan="2"> Mortgage Calculator </th> </tr> <tr> <td align="left"><%= f.label "Loan Amount: "%></td> <td><%= f.text_field :balance, :size=>"7" %></td> </tr> <%= f.hidden_field :object_id %> <tr> <td align="left"><%= f.label "Interest rate: " %></td> <td><%= f.text_field :interest_rate, :size=>"2" %></td> </tr> <tr> <td align="left"><%= f.label "Term length: " %></td> <td><%= f.text_field:term_length, :size=>"1"%> yrs</td> </tr> <tr> <td align="left"><%= f.label :payment_type %></td> <td><%= select :calc, :payment_type, ["Biweekly","Monthly"]%></td> </tr> <tr> <td align="left"><%= f.label "First Payment Date"%></td> <td><%= select :calc, :starting_month,months %> <%= select :calc, :starting_year,yrs %></td> </tr> <tr> <td align="left"><%= f.label "Show Amortization Table" %></td> <td><%= f.check_box :do_table%></td> </tr> <tr > <td align="center" colspan="2"><%= f.submit "Calculate" %></td> </tr> </table> <% end %> |
Tags: ActionController, csrf, firefox, form within a table, InvalidAuthenticityToken, linkedin, protect_from_forgery, remote_form_for
September 1st, 2009 at 5:35 am
It’s good to monitor if our HTML is valid.
There are no written standards for dealing with invalid HTML so browsers can behave unexpectedly in such case
All the best :)
December 25th, 2009 at 1:25 am
Thanks, that save me some time. I was testing on FF only and was fixating on the ‘protect_from_forgery’
Cheers
May 28th, 2010 at 1:31 am
hey,Excellent blog post dude! i am Tired of using RSS feeds and do you use twitter?so i can follow you there:D.
PS:Have you thought putting video to this blog to keep the people more interested?I think it works.Sincerely, Jeana Jungen
August 10th, 2010 at 7:20 pm
Hmmm…very good to find out, there were certainly two or three things in which I had not thought of before.
October 11th, 2010 at 9:36 pm
I am all for hitting the proverbial reset button, declaring possession to imply full ownership. All mortgages need to be forgiven. Starting…. now!
January 9th, 2012 at 3:37 am
father, May they be in us, as you are in me, and I am in you, so that the world may believe it was you who sent me. John 17:21
O God of peace, who through your son Jesus Christ did proclaim one faith for the salvation of mankind, send your grace and blessing on all Christians who are striving to draw near to you and to each other. give us boldness to seek only your glory and the advancement of your Kingdom. Unite us all in you, Father, who with your son and the Holy Spirit, are one God for ever and ever. Purify our hearts to see and love the truth, give wisdom to our learder and steadfastness to our people, keep our nations in your tender care during these difficult times, through Jesus Christ our Lord. love & peace to the whole world.