1 files changed, 9 insertions, 10 deletions

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 148efbb081..b89e03bfb6 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -71,25 +71,24 @@ module ActionController #:nodoc:
     end
 
     protected
-
-      def protect_from_forgery(options = {})
-        self.request_forgery_protection_token ||= :authenticity_token
-        before_filter :verify_authenticity_token, options
-      end
-
       # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
       def verify_authenticity_token
-        verified_request? || raise(ActionController::InvalidAuthenticityToken)
+        verified_request? || handle_unverified_request
+      end
+
+      def handle_unverified_request
+        reset_session
       end
 
       # Returns true or false if a request is verified.  Checks:
       #
-      # * is the format restricted?  By default, only HTML requests are checked.
       # * is it a GET request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
+      # * Does the X-CSRF-Token header match the form_authenticity_token
       def verified_request?
-        !protect_against_forgery? || request.forgery_whitelisted? ||
-          form_authenticity_token == params[request_forgery_protection_token]
+        !protect_against_forgery? || request.get? ||
+          form_authenticity_token == params[request_forgery_protection_token] ||
+          form_authenticity_token == request.headers['X-CSRF-Token']
       end
 
       # Sets the token value for the current session.