aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRachel Carvalho <rachel.carvalho@gmail.com>2017-03-23 16:21:11 -0400
committerRachel Carvalho <rachel.carvalho@gmail.com>2017-03-23 16:22:04 -0400
commitaed7bb67485b1e4d4c7eeb40971ac4057d48999c (patch)
tree760762019fa8f83a49e7a521275b0e1dc35540c2
parent484d1ed529d23bcb5e1b5ca167bb63ac8c164c8b (diff)
downloadrails-aed7bb67485b1e4d4c7eeb40971ac4057d48999c.tar.gz
rails-aed7bb67485b1e4d4c7eeb40971ac4057d48999c.tar.bz2
rails-aed7bb67485b1e4d4c7eeb40971ac4057d48999c.zip
update guide to reflect browser compatibility for HTTP verbs [ci skip]
-rw-r--r--guides/source/security.md4
1 files changed, 2 insertions, 2 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index a14134f8c1..7e27e6f37d 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -212,7 +212,7 @@ CSRF appears very rarely in CVE (Common Vulnerabilities and Exposures) - less th
NOTE: _First, as is required by the W3C, use GET and POST appropriately. Secondly, a security token in non-GET requests will protect your application from CSRF._
-The HTTP protocol basically provides two main types of requests - GET and POST (and more, but they are not supported by most browsers). The World Wide Web Consortium (W3C) provides a checklist for choosing HTTP GET or POST:
+The HTTP protocol basically provides two main types of requests - GET and POST (DELETE, PUT, and PATCH should be used like POST). The World Wide Web Consortium (W3C) provides a checklist for choosing HTTP GET or POST:
**Use GET if:**
@@ -224,7 +224,7 @@ The HTTP protocol basically provides two main types of requests - GET and POST (
* The interaction _changes the state_ of the resource in a way that the user would perceive (e.g., a subscription to a service), or
* The user is _held accountable for the results_ of the interaction.
-If your web application is RESTful, you might be used to additional HTTP verbs, such as PATCH, PUT or DELETE. Most of today's web browsers, however, do not support them - only GET and POST. Rails uses a hidden `_method` field to handle this barrier.
+If your web application is RESTful, you might be used to additional HTTP verbs, such as PATCH, PUT or DELETE. Some legacy web browsers, however, do not support them - only GET and POST. Rails uses a hidden `_method` field to handle these cases.
_POST requests can be sent automatically, too_. In this example, the link www.harmless.com is shown as the destination in the browser's status bar. But it has actually dynamically created a new form that sends a POST request.