aboutsummaryrefslogtreecommitdiffstats
path: root/tools
diff options
context:
space:
mode:
authorMichael Koziarski <michael@koziarski.com>2011-01-05 13:36:07 +1300
committerAaron Patterson <aaron.patterson@gmail.com>2011-02-08 14:57:08 -0800
commitae19e4141f27f80013c11e8b1da68e5c52c779ea (patch)
tree84756e4d022c89de602aa85cd5e515496eee4e7d /tools
parent0b58a7ff420d7ef4b643c521a62be7259dd2f5cb (diff)
downloadrails-ae19e4141f27f80013c11e8b1da68e5c52c779ea.tar.gz
rails-ae19e4141f27f80013c11e8b1da68e5c52c779ea.tar.bz2
rails-ae19e4141f27f80013c11e8b1da68e5c52c779ea.zip
Change the CSRF whitelisting to only apply to get requests
Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets. To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header: X-CSRF-Token: ... This fixes CVE-2011-0447
Diffstat (limited to 'tools')
0 files changed, 0 insertions, 0 deletions