diff options
author | Rafael França <rafael@franca.dev> | 2019-07-26 12:56:38 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-07-26 12:56:38 -0400 |
commit | 7067ee91fb6535882c017adb06c402ed16cdf909 (patch) | |
tree | f8ca6e4a775abbf3996e37311016267a34bb8397 | |
parent | a40b328b0183af65c9a4ce5da02d69580211fd3d (diff) | |
parent | 85a08fe6719352b07ba21a7834cfb7c89b291238 (diff) | |
download | rails-7067ee91fb6535882c017adb06c402ed16cdf909.tar.gz rails-7067ee91fb6535882c017adb06c402ed16cdf909.tar.bz2 rails-7067ee91fb6535882c017adb06c402ed16cdf909.zip |
Merge pull request #36771 from ajn123/add-documentation-for-csrf-javascript
[ci skip] add CSRF token explanation for javascript documentation
-rw-r--r-- | guides/source/working_with_javascript_in_rails.md | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/guides/source/working_with_javascript_in_rails.md b/guides/source/working_with_javascript_in_rails.md index 8cf8efefd0..b740e933ba 100644 --- a/guides/source/working_with_javascript_in_rails.md +++ b/guides/source/working_with_javascript_in_rails.md @@ -14,6 +14,7 @@ After reading this guide, you will know: * How Rails' built-in helpers assist you. * How to handle Ajax on the server side. * The Turbolinks gem. +* How to include your Cross-Site Request Forgery token in request headers ------------------------------------------------------------------------------- @@ -524,6 +525,23 @@ For more details, including other events you can bind to, check out [the Turbolinks README](https://github.com/turbolinks/turbolinks/blob/master/README.md). +Cross-Site Request Forgery (CSRF) token in Ajax +---- + +When using another library to make Ajax calls, it is necessary to add +the security token as a default header for Ajax calls in your library. To get +the token: + +```javascript +var token = document.getElementsByName('csrf-token')[0].content +``` + +You can then submit this token as a X-CSRF-Token in your header for your +Ajax requst. You do not need to add a CSRF for GET requests, only non-GET +requests. + +You can read more about about Cross-Site Request Forgery in [Security](https://guides.rubyonrails.org/security.html#cross-site-request-forgery-csrf) + Other Resources --------------- |