aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/metal/request_forgery_protection.rb
diff options
context:
space:
mode:
authorZachary Scott <e@zzak.io>2015-04-12 21:56:01 -0700
committerZachary Scott <e@zzak.io>2015-04-12 21:56:01 -0700
commite1ebf146b56a80395ed9e6d100bdb403921ada38 (patch)
tree169a32e2eb6be36a8a4f8d0bdc17ad4d0e4931f5 /actionpack/lib/action_controller/metal/request_forgery_protection.rb
parentfd0f27ce793caf8c2f06cf09710aa0a505df553e (diff)
downloadrails-e1ebf146b56a80395ed9e6d100bdb403921ada38.tar.gz
rails-e1ebf146b56a80395ed9e6d100bdb403921ada38.tar.bz2
rails-e1ebf146b56a80395ed9e6d100bdb403921ada38.zip
Apply comments from @jeremy regarding why HTML and Javascript requests
specifically are checked for CSRF, when dealing with the browser. [ci skip]
Diffstat (limited to 'actionpack/lib/action_controller/metal/request_forgery_protection.rb')
-rw-r--r--actionpack/lib/action_controller/metal/request_forgery_protection.rb5
1 files changed, 5 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index a9d38b6660..b6c613849b 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -17,6 +17,11 @@ module ActionController #:nodoc:
# as these should be idempotent. Keep in mind that all session-oriented requests
# should be CSRF protected, including Javascript and HTML requests.
#
+ # Since HTML and Javascript requests are typically made from the browser, we
+ # need to ensure to verify request authenticity for the web browser. We can
+ # use session-oriented authentication for these types requests, by using
+ # the `protect_form_forgery` method in our controllers.
+ #
# GET requests are not protected since they don't have side effects like writing
# to the database and don't leak sensitive information. JavaScript requests are
# an exception: a third-party site can use a <script> tag to reference a JavaScript