diff options
author | Tim Ruffles <timruffles@googlemail.com> | 2013-07-26 16:47:18 +0100 |
---|---|---|
committer | Tim Ruffles <timruffles@googlemail.com> | 2013-08-06 10:55:58 +0100 |
commit | 08525e3ef172873a5fa525b27f445012d9e226c3 (patch) | |
tree | da96c61866f5c03c0536b99b97bc55ff3b4c0b77 | |
parent | 9281adc64acc5071c1d0d699158c97eae8430810 (diff) | |
download | rails-08525e3ef172873a5fa525b27f445012d9e226c3.tar.gz rails-08525e3ef172873a5fa525b27f445012d9e226c3.tar.bz2 rails-08525e3ef172873a5fa525b27f445012d9e226c3.zip |
be more specific about csrf token and ajax - not whitelisted outside of jquery-rails [ci skip]
-rw-r--r-- | actionview/lib/action_view/helpers/csrf_helper.rb | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/actionview/lib/action_view/helpers/csrf_helper.rb b/actionview/lib/action_view/helpers/csrf_helper.rb index eeb0ed94b9..5af92c4ff2 100644 --- a/actionview/lib/action_view/helpers/csrf_helper.rb +++ b/actionview/lib/action_view/helpers/csrf_helper.rb @@ -12,8 +12,11 @@ module ActionView # These are used to generate the dynamic forms that implement non-remote links with # <tt>:method</tt>. # - # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted, - # so they do not use these tags. + # You don't need to use these tags for regular forms as they generate their own hidden fields. + # + # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the + # "X-CSRF-Token" HTTP header. If you are using jQuery with jquery-rails this happens automatically. + # def csrf_meta_tags if protect_against_forgery? [ |