1 files changed, 19 insertions, 3 deletions

diff --git a/actionpack/lib/action_controller/mime_type.rb b/actionpack/lib/action_controller/mime_type.rb
index 26edca3b69..6923a13f3f 100644
--- a/actionpack/lib/action_controller/mime_type.rb
+++ b/actionpack/lib/action_controller/mime_type.rb
@@ -20,8 +20,20 @@ module Mime
   #   end
   class Type
     @@html_types = Set.new [:html, :all]
+    cattr_reader :html_types
+
+    # These are the content types which browsers can generate without using ajax, flash, etc
+    # i.e. following a link, getting an image or posting a form.  CSRF protection
+    # only needs to protect against these types.
+    @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form, :text]
+    cattr_reader :browser_generated_types
+
+
     @@unverifiable_types = Set.new [:text, :json, :csv, :xml, :rss, :atom, :yaml]
-    cattr_reader :html_types, :unverifiable_types
+    def self.unverifiable_types
+      ActiveSupport::Deprecation.warn("unverifiable_types is deprecated and has no effect", caller)
+      @@unverifiable_types
+    end
 
     # A simple helper class used in parsing the accept header
     class AcceptItem #:nodoc:
@@ -165,15 +177,19 @@ module Mime
     end
 
     # Returns true if Action Pack should check requests using this Mime Type for possible request forgery.  See
-    # ActionController::RequestForgerProtection.
+    # ActionController::RequestForgeryProtection.
     def verify_request?
-      !@@unverifiable_types.include?(to_sym)
+      browser_generated?
     end
 
     def html?
       @@html_types.include?(to_sym) || @string =~ /html/
     end
 
+    def browser_generated?
+      @@browser_generated_types.include?(to_sym)
+    end
+
     private
       def method_missing(method, *args)
         if method.to_s =~ /(\w+)\?$/