diff options
Diffstat (limited to 'actionpack/lib')
-rw-r--r-- | actionpack/lib/action_controller/base/request_forgery_protection.rb | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/actionpack/lib/action_controller/base/request_forgery_protection.rb b/actionpack/lib/action_controller/base/request_forgery_protection.rb index f3e6288c26..3067122ceb 100644 --- a/actionpack/lib/action_controller/base/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/base/request_forgery_protection.rb @@ -81,12 +81,13 @@ module ActionController #:nodoc: # Returns true or false if a request is verified. Checks: # - # * is the format restricted? By default, only HTML and AJAX requests are checked. + # * is the format restricted? By default, only HTML requests are checked. # * is it a GET request? Gets should be safe and idempotent # * Does the form_authenticity_token match the given token value from the params? def verified_request? !protect_against_forgery? || request.method == :get || + request.xhr? || !verifiable_request_format? || form_authenticity_token == params[request_forgery_protection_token] end |