Merge pull request #13345 from jeremy/get-csrf

CSRF protection from cross-origin <script> tags
author: Jeremy Kemper <jeremy@bitsweat.net> 2013-12-17 12:29:57 -0800
committer: Jeremy Kemper <jeremy@bitsweat.net> 2013-12-17 12:29:57 -0800
commit: 39ca25f5c42470b4a446fa7688bce22767d82d79 (patch)
tree: 504d96a497fe6dac441675d09b7b79c41357f7f6 /actionpack/CHANGELOG.md
parent: 2b096c7170bd8b4892fb3902741c8a4c21e962b2 (diff)
parent: 1650bb3d56897cfef4c7e6b86a36eed4f1a41df5 (diff)
download: rails-39ca25f5c42470b4a446fa7688bce22767d82d79.tar.gz
rails-39ca25f5c42470b4a446fa7688bce22767d82d79.tar.bz2
rails-39ca25f5c42470b4a446fa7688bce22767d82d79.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md
index b4d3da3603..3324dfa623 100644
--- a/actionpack/CHANGELOG.md
+++ b/actionpack/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   Extend cross-site request forgery (CSRF) protection to GET requests with
+    JavaScript responses, protecting apps from cross-origin `<script>` tags.
+
+    *Jeremy Kemper*
+
 *   Fix generating a path for engine inside a resources block.
 
     Fixes #8533.
author	Jeremy Kemper <jeremy@bitsweat.net>	2013-12-17 12:29:57 -0800
committer	Jeremy Kemper <jeremy@bitsweat.net>	2013-12-17 12:29:57 -0800
commit	39ca25f5c42470b4a446fa7688bce22767d82d79 (patch)
tree	504d96a497fe6dac441675d09b7b79c41357f7f6 /actionpack/CHANGELOG.md
parent	2b096c7170bd8b4892fb3902741c8a4c21e962b2 (diff)
parent	1650bb3d56897cfef4c7e6b86a36eed4f1a41df5 (diff)
download	rails-39ca25f5c42470b4a446fa7688bce22767d82d79.tar.gz rails-39ca25f5c42470b4a446fa7688bce22767d82d79.tar.bz2 rails-39ca25f5c42470b4a446fa7688bce22767d82d79.zip