diff options
| author | Vijay Dev <vijaydev.cse@gmail.com> | 2012-05-27 19:45:52 +0530 |
|---|---|---|
| committer | Vijay Dev <vijaydev.cse@gmail.com> | 2012-05-27 19:45:52 +0530 |
| commit | 903a9d51c0f736de3d5a82334190abe04f79b037 (patch) | |
| tree | 87398ee2a6b0d668a8e5efe6193a118da764b968 | |
| parent | 4f031c8350b08eb0b1eb8abf7eb380654d284abc (diff) | |
| download | rails-903a9d51c0f736de3d5a82334190abe04f79b037.tar.gz rails-903a9d51c0f736de3d5a82334190abe04f79b037.tar.bz2 rails-903a9d51c0f736de3d5a82334190abe04f79b037.zip | |
copy edits [ci skip]
| -rw-r--r-- | guides/source/security.textile | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/guides/source/security.textile b/guides/source/security.textile index 14038a9bcd..cc0894fc77 100644 --- a/guides/source/security.textile +++ b/guides/source/security.textile @@ -240,12 +240,12 @@ It is common to use persistent cookies to store user information, with +cookies. <ruby> def handle_unverified_request - super - sign_out_user # Example method that will destroy the user cookies. + super + sign_out_user # Example method that will destroy the user cookies. end </ruby> -The above method could be placed in the +ApplicationController+ and will be called when a CSRF token is not present on a POST request. +The above method can be placed in the +ApplicationController+ and will be called when a CSRF token is not present on a non-GET request. Note that _(highlight)cross-site scripting (XSS) vulnerabilities bypass all CSRF protections_. XSS gives the attacker access to all elements on a page, so he can read the CSRF security token from a form or directly submit the form. Read <a href="#cross-site-scripting-xss">more about XSS</a> later. |