diff options
author | Yves Senn <yves.senn@gmail.com> | 2014-02-03 08:38:44 -0800 |
---|---|---|
committer | Yves Senn <yves.senn@gmail.com> | 2014-02-03 08:38:44 -0800 |
commit | 28abd967fcc8544650c73910a8a0cbaa6dafc1f5 (patch) | |
tree | 78f995f00fb1f53fae6d0670f5861624f9c3b5b8 | |
parent | dd493d3b6f25147227db4c5d119d6b48c31f42e6 (diff) | |
parent | 08525e3ef172873a5fa525b27f445012d9e226c3 (diff) | |
download | rails-28abd967fcc8544650c73910a8a0cbaa6dafc1f5.tar.gz rails-28abd967fcc8544650c73910a8a0cbaa6dafc1f5.tar.bz2 rails-28abd967fcc8544650c73910a8a0cbaa6dafc1f5.zip |
Merge pull request #11770 from timruffles/doc_ajax_xhr
be more specific about csrf token and ajax - not whitelisted outside of jquery-rails [ci skip]
-rw-r--r-- | actionview/lib/action_view/helpers/csrf_helper.rb | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/actionview/lib/action_view/helpers/csrf_helper.rb b/actionview/lib/action_view/helpers/csrf_helper.rb index eeb0ed94b9..5af92c4ff2 100644 --- a/actionview/lib/action_view/helpers/csrf_helper.rb +++ b/actionview/lib/action_view/helpers/csrf_helper.rb @@ -12,8 +12,11 @@ module ActionView # These are used to generate the dynamic forms that implement non-remote links with # <tt>:method</tt>. # - # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted, - # so they do not use these tags. + # You don't need to use these tags for regular forms as they generate their own hidden fields. + # + # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the + # "X-CSRF-Token" HTTP header. If you are using jQuery with jquery-rails this happens automatically. + # def csrf_meta_tags if protect_against_forgery? [ |