aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
diff options
context:
space:
mode:
authorMichiel Sikkes <michiel.sikkes@gmail.com>2013-01-22 22:01:57 +0100
committerMichiel Sikkes <michiel.sikkes@gmail.com>2013-01-22 22:01:57 +0100
commit2ef138f0d49e92550bb74a103df7ce5074b18241 (patch)
tree3fea462b22db648ec3b22dd4ab9cddf40a6543a5 /actionpack/lib/action_controller/metal/request_forgery_protection.rb
parent64245e02e359cb9cf65bfcae2e2f5bebb00f47bf (diff)
downloadrails-2ef138f0d49e92550bb74a103df7ce5074b18241.tar.gz
rails-2ef138f0d49e92550bb74a103df7ce5074b18241.tar.bz2
rails-2ef138f0d49e92550bb74a103df7ce5074b18241.zip
Added request.head? to forgery protection code
Diffstat (limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb4
1 files changed, 2 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index c5db0cb0d4..f41df1730b 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -162,11 +162,11 @@ module ActionController #:nodoc:
# Returns true or false if a request is verified. Checks:
#
- # * is it a GET request? Gets should be safe and idempotent
+ # * is it a GET or HEAD request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given token value from the params?
# * Does the X-CSRF-Token header match the form_authenticity_token
def verified_request?
- !protect_against_forgery? || request.get? ||
+ !protect_against_forgery? || request.get? || request.head? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end