diff options
author | Jeremy Kemper <jeremy@bitsweat.net> | 2013-12-17 16:02:04 -0700 |
---|---|---|
committer | Jeremy Kemper <jeremy@bitsweat.net> | 2013-12-17 16:02:04 -0700 |
commit | 4f4fdd643f9d19fbbeeec3ac77674f791c9beffa (patch) | |
tree | 17b9c9ca81d7a5d531827db5f9e500ef8de63544 /actionpack/lib/action_controller/metal/request_forgery_protection.rb | |
parent | d3fcaba6266d99ef9a5ad6d9154b1257e1300310 (diff) | |
download | rails-4f4fdd643f9d19fbbeeec3ac77674f791c9beffa.tar.gz rails-4f4fdd643f9d19fbbeeec3ac77674f791c9beffa.tar.bz2 rails-4f4fdd643f9d19fbbeeec3ac77674f791c9beffa.zip |
Clearly limit new CSRF protection to GET requests
Diffstat (limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')
-rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 8cdb9a7655..c88074d4c6 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -190,7 +190,7 @@ module ActionController #:nodoc: # verify that JavaScript responses are for XHR requests, ensuring they # follow the browser's same-origin policy. def verify_authenticity_token - @marked_for_same_origin_verification = true + mark_for_same_origin_verification! if !verified_request? logger.warn "Can't verify CSRF token authenticity" if logger @@ -218,10 +218,15 @@ module ActionController #:nodoc: end end + # GET requests are checked for cross-origin JavaScript after rendering. + def mark_for_same_origin_verification! + @marked_for_same_origin_verification = request.get? + end + # If the `verify_authenticity_token` before_action ran, verify that # JavaScript responses are only served to same-origin GET requests. def marked_for_same_origin_verification? - defined? @marked_for_same_origin_verification + @marked_for_same_origin_verification ||= false end # Check for cross-origin JavaScript responses. |