How to generate external secure form for clients in Rails

Question

Hello,

I'm using Ruby on Rails to make an application where businesses can create accounts and add information about their clients. I would like to be able to generate a form that they can put on their website to automatically enter the clients' info into their account. I know I might be able to do something like:

<% form_tag my_site_url_with_action do %>
 ....put here the fields for client info

But I was wondering if there is a way to make it secure by ensure that it's coming from my client's website as opposed from some spam website or so.

Any ideas?

Thanks,

Tam

Answer 1

Maybe using an iframe could help you out? I think it is frowned upon to use it, but use what gets the job done. :)

Having an iframe on your clients sites you can still have them login and use all the XSS-goodies built into rails.

Answer 2

If your rails app uses RESTful resources you can use ActiveResource.

Otherwise, the quick and dirty solution: Forms on your Rails site have an authenticity token as a hidden input. This ensures the submitted info is coming from a secure source, such as the site itself. You can use that hidden input on a remote form to get Rails to accept it. You may also want to write your receiving action to redirect back to the site it came from after it's finished processing (redirect_to :back).