1 files changed, 7 insertions, 4 deletions

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 736f70af4c..53534c0307 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -9,10 +9,13 @@ module ActionController #:nodoc:
   # by including a token in the rendered html for your application. This token is
   # stored as a random string in the session, to which an attacker does not have
   # access. When a request reaches your application, \Rails verifies the received
-  # token with the token in the session. All requests are checked except GET requests
-  # as these should be idempotent. It's important to remember that XML or JSON
-  # requests are also affected and if you're building an API you'll need
-  # something like that:
+  # token with the token in the session. Only HTML and JavaScript requests are checked,
+  # so this will not protect your XML API (presumably you'll have a different
+  # authentication scheme there anyway). Also, GET requests are not protected as these
+  # should be idempotent.
+  #
+  # It's important to remember that XML or JSON requests are also affected and if
+  # you're building an API you'll need something like:
   #
   #   class ApplicationController < ActionController::Base
   #     protect_from_forgery