Built-In XSS Protection in Rails will Confuse You

Matt Jankowski

If you do Rails development of multiple applications simultaneously on a machine that you access with one hostname – but using different ports for the different applications – you might end up with a problem.

The problem will be that you’ll have a cookie set in your browser which ties you into a session for one of the applications, and then you’ll try to hit the second application, and you’ll get an empty screen and a 403 error in the logs, with little else to go on.

This is a little-documented built-in defense against cross site scripting, but you won’t know that when you keep getting empty screens back from your otherwise correct application.

You can solve this by either deleting your cookies for that domain/host, or by deleting the session store for the applications.