diff options
| author | Zachary Scott <e@zzak.io> | 2015-04-12 21:56:01 -0700 |
|---|---|---|
| committer | Zachary Scott <e@zzak.io> | 2015-04-12 21:56:01 -0700 |
| commit | e1ebf146b56a80395ed9e6d100bdb403921ada38 (patch) | |
| tree | 169a32e2eb6be36a8a4f8d0bdc17ad4d0e4931f5 /actionpack | |
| parent | fd0f27ce793caf8c2f06cf09710aa0a505df553e (diff) | |
| download | rails-e1ebf146b56a80395ed9e6d100bdb403921ada38.tar.gz rails-e1ebf146b56a80395ed9e6d100bdb403921ada38.tar.bz2 rails-e1ebf146b56a80395ed9e6d100bdb403921ada38.zip | |
Apply comments from @jeremy regarding why HTML and Javascript requests
specifically are checked for CSRF, when dealing with the browser.
[ci skip]
Diffstat (limited to 'actionpack')
| -rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index a9d38b6660..b6c613849b 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -17,6 +17,11 @@ module ActionController #:nodoc: # as these should be idempotent. Keep in mind that all session-oriented requests # should be CSRF protected, including Javascript and HTML requests. # + # Since HTML and Javascript requests are typically made from the browser, we + # need to ensure to verify request authenticity for the web browser. We can + # use session-oriented authentication for these types requests, by using + # the `protect_form_forgery` method in our controllers. + # # GET requests are not protected since they don't have side effects like writing # to the database and don't leak sensitive information. JavaScript requests are # an exception: a third-party site can use a <script> tag to reference a JavaScript |