aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYves Senn <yves.senn@gmail.com>2014-02-03 08:38:44 -0800
committerYves Senn <yves.senn@gmail.com>2014-02-03 08:38:44 -0800
commit28abd967fcc8544650c73910a8a0cbaa6dafc1f5 (patch)
tree78f995f00fb1f53fae6d0670f5861624f9c3b5b8
parentdd493d3b6f25147227db4c5d119d6b48c31f42e6 (diff)
parent08525e3ef172873a5fa525b27f445012d9e226c3 (diff)
downloadrails-28abd967fcc8544650c73910a8a0cbaa6dafc1f5.tar.gz
rails-28abd967fcc8544650c73910a8a0cbaa6dafc1f5.tar.bz2
rails-28abd967fcc8544650c73910a8a0cbaa6dafc1f5.zip
Merge pull request #11770 from timruffles/doc_ajax_xhr
be more specific about csrf token and ajax - not whitelisted outside of jquery-rails [ci skip]
-rw-r--r--actionview/lib/action_view/helpers/csrf_helper.rb7
1 files changed, 5 insertions, 2 deletions
diff --git a/actionview/lib/action_view/helpers/csrf_helper.rb b/actionview/lib/action_view/helpers/csrf_helper.rb
index eeb0ed94b9..5af92c4ff2 100644
--- a/actionview/lib/action_view/helpers/csrf_helper.rb
+++ b/actionview/lib/action_view/helpers/csrf_helper.rb
@@ -12,8 +12,11 @@ module ActionView
# These are used to generate the dynamic forms that implement non-remote links with
# <tt>:method</tt>.
#
- # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
- # so they do not use these tags.
+ # You don't need to use these tags for regular forms as they generate their own hidden fields.
+ #
+ # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
+ # "X-CSRF-Token" HTTP header. If you are using jQuery with jquery-rails this happens automatically.
+ #
def csrf_meta_tags
if protect_against_forgery?
[