diff options
| author | Jon Moss <maclover7@users.noreply.github.com> | 2017-03-23 16:30:01 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-03-23 16:30:01 -0400 |
| commit | 2f3e12b8237c4b3527b6fea6da0c819fb4c80cf1 (patch) | |
| tree | b69ca37d15135fdc2042dbaf6e23cc2c0542005f | |
| parent | 26cfa2eae243a6a8442bf8545074f368b83d7c9e (diff) | |
| parent | aed7bb67485b1e4d4c7eeb40971ac4057d48999c (diff) | |
| download | rails-2f3e12b8237c4b3527b6fea6da0c819fb4c80cf1.tar.gz rails-2f3e12b8237c4b3527b6fea6da0c819fb4c80cf1.tar.bz2 rails-2f3e12b8237c4b3527b6fea6da0c819fb4c80cf1.zip | |
Merge pull request #28550 from rachel-carvalho/update_browser_compatibility_for_http_verbs
Update guide to reflect browser compatibility for HTTP verbs
| -rw-r--r-- | guides/source/security.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index a14134f8c1..7e27e6f37d 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -212,7 +212,7 @@ CSRF appears very rarely in CVE (Common Vulnerabilities and Exposures) - less th NOTE: _First, as is required by the W3C, use GET and POST appropriately. Secondly, a security token in non-GET requests will protect your application from CSRF._ -The HTTP protocol basically provides two main types of requests - GET and POST (and more, but they are not supported by most browsers). The World Wide Web Consortium (W3C) provides a checklist for choosing HTTP GET or POST: +The HTTP protocol basically provides two main types of requests - GET and POST (DELETE, PUT, and PATCH should be used like POST). The World Wide Web Consortium (W3C) provides a checklist for choosing HTTP GET or POST: **Use GET if:** @@ -224,7 +224,7 @@ The HTTP protocol basically provides two main types of requests - GET and POST ( * The interaction _changes the state_ of the resource in a way that the user would perceive (e.g., a subscription to a service), or * The user is _held accountable for the results_ of the interaction. -If your web application is RESTful, you might be used to additional HTTP verbs, such as PATCH, PUT or DELETE. Most of today's web browsers, however, do not support them - only GET and POST. Rails uses a hidden `_method` field to handle this barrier. +If your web application is RESTful, you might be used to additional HTTP verbs, such as PATCH, PUT or DELETE. Some legacy web browsers, however, do not support them - only GET and POST. Rails uses a hidden `_method` field to handle these cases. _POST requests can be sent automatically, too_. In this example, the link www.harmless.com is shown as the destination in the browser's status bar. But it has actually dynamically created a new form that sends a POST request. |