diff options
| author | Ross Kaffenburger and Bryan Helmkamp <developers@weplay.com> | 2009-03-04 16:05:15 -0500 |
|---|---|---|
| committer | Carl Lerche & Yehuda Katz <wycats@gmail.com> | 2009-04-15 16:04:21 -0700 |
| commit | 256b0ee8e3c1610967dfc89f864e24b98ed3c236 (patch) | |
| tree | 057ef8c74d5aeaf964dd7a1743359a758c1bbf7a /actionpack/lib | |
| parent | 3c1187699a80e0c4a003f5693389595cd644390f (diff) | |
| download | rails-256b0ee8e3c1610967dfc89f864e24b98ed3c236.tar.gz rails-256b0ee8e3c1610967dfc89f864e24b98ed3c236.tar.bz2 rails-256b0ee8e3c1610967dfc89f864e24b98ed3c236.zip | |
Don't check authenticity tokens for any AJAX requests
Diffstat (limited to 'actionpack/lib')
| -rw-r--r-- | actionpack/lib/action_controller/base/request_forgery_protection.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/base/request_forgery_protection.rb b/actionpack/lib/action_controller/base/request_forgery_protection.rb index f3e6288c26..3067122ceb 100644 --- a/actionpack/lib/action_controller/base/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/base/request_forgery_protection.rb @@ -81,12 +81,13 @@ module ActionController #:nodoc: # Returns true or false if a request is verified. Checks: # - # * is the format restricted? By default, only HTML and AJAX requests are checked. + # * is the format restricted? By default, only HTML requests are checked. # * is it a GET request? Gets should be safe and idempotent # * Does the form_authenticity_token match the given token value from the params? def verified_request? !protect_against_forgery? || request.method == :get || + request.xhr? || !verifiable_request_format? || form_authenticity_token == params[request_forgery_protection_token] end |