Clearly limit new CSRF protection to GET requests

1 files changed, 7 insertions, 2 deletions

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 8cdb9a7655..c88074d4c6 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -190,7 +190,7 @@ module ActionController #:nodoc:
       # verify that JavaScript responses are for XHR requests, ensuring they
       # follow the browser's same-origin policy.
       def verify_authenticity_token
-        @marked_for_same_origin_verification = true
+        mark_for_same_origin_verification!
 
         if !verified_request?
           logger.warn "Can't verify CSRF token authenticity" if logger
@@ -218,10 +218,15 @@ module ActionController #:nodoc:
         end
       end
 
+      # GET requests are checked for cross-origin JavaScript after rendering.
+      def mark_for_same_origin_verification!
+        @marked_for_same_origin_verification = request.get?
+      end
+
       # If the `verify_authenticity_token` before_action ran, verify that
       # JavaScript responses are only served to same-origin GET requests.
       def marked_for_same_origin_verification?
-        defined? @marked_for_same_origin_verification
+        @marked_for_same_origin_verification ||= false
       end
 
       # Check for cross-origin JavaScript responses.