diff options
| -rw-r--r-- | actionpack/lib/action_controller/metal/request_forgery_protection.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index a9d38b6660..b6c613849b 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -17,6 +17,11 @@ module ActionController #:nodoc: # as these should be idempotent. Keep in mind that all session-oriented requests # should be CSRF protected, including Javascript and HTML requests. # + # Since HTML and Javascript requests are typically made from the browser, we + # need to ensure to verify request authenticity for the web browser. We can + # use session-oriented authentication for these types requests, by using + # the `protect_form_forgery` method in our controllers. + # # GET requests are not protected since they don't have side effects like writing # to the database and don't leak sensitive information. JavaScript requests are # an exception: a third-party site can use a <script> tag to reference a JavaScript |