Merge pull request #21618 from designgrill/master

Improved explanation of the <script> tag CSRF behavior

1 files changed, 2 insertions, 4 deletions

diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md
index 30c0fcb294..2de9d6045e 100644
--- a/guides/source/upgrading_ruby_on_rails.md
+++ b/guides/source/upgrading_ruby_on_rails.md
@@ -316,11 +316,9 @@ Upgrading from Rails 4.0 to Rails 4.1
 
 Or, "whaaat my tests are failing!!!?"
 
-Cross-site request forgery (CSRF) protection now covers GET requests with
-JavaScript responses, too. This prevents a third-party site from referencing
-your JavaScript URL and attempting to run it to extract sensitive data.
+Cross-site request forgery (CSRF) protection now covers GET requests with dynamic JavaScript responses, too. By default, all javascript responses generated by an action will be blocked for non xhr requests. This will block usage of such urls in any `<script>` tag including your own. That way, in a possible attack scenario, it prevents a third-party site from referencing your JavaScript URL and attempting to run it to extract sensitive data.
 
-This means that your functional and integration tests that use
+It also means that your functional and integration tests that use
 
 ```ruby
 get :index, format: :js