diff options
| -rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 4 | ||||
| -rw-r--r-- | actionpack/test/controller/request_forgery_protection_test.rb | 4 |
2 files changed, 6 insertions, 2 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 2d5ba0024e..77b173979e 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -163,11 +163,11 @@ module ActionController #:nodoc: # Returns true or false if a request is verified. Checks: # - # * is it a GET request? Gets should be safe and idempotent + # * is it a GET or HEAD request? Gets should be safe and idempotent # * Does the form_authenticity_token match the given token value from the params? # * Does the X-CSRF-Token header match the form_authenticity_token def verified_request? - !protect_against_forgery? || request.get? || + !protect_against_forgery? || request.get? || request.head? || form_authenticity_token == params[request_forgery_protection_token] || form_authenticity_token == request.headers['X-CSRF-Token'] end diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 523a8d0572..7571192f97 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -170,6 +170,10 @@ module RequestForgeryProtectionTests assert_not_blocked { get :index } end + def test_should_allow_head + assert_not_blocked { head :index } + end + def test_should_allow_post_without_token_on_unsafe_action assert_not_blocked { post :unsafe } end |