4 files changed, 20 insertions, 38 deletions
diff --git a/actionpack/lib/action_controller/metal/force_ssl.rb b/actionpack/lib/action_controller/metal/force_ssl.rb
index 5a8c7db162..d920668184 100644
--- a/actionpack/lib/action_controller/metal/force_ssl.rb
+++ b/actionpack/lib/action_controller/metal/force_ssl.rb
@@ -89,7 +89,7 @@ module ActionController
         end
 
         secure_url = ActionDispatch::Http::URL.url_for(options.slice(*URL_OPTIONS))
-        flash.keep if request.respond_to?(:flash)
+        flash.keep if respond_to?(:flash)
         redirect_to secure_url, options.slice(*REDIRECT_OPTIONS)
       end
     end
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 367b736035..663a969f72 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -13,9 +13,14 @@ module ActionController #:nodoc:
   # by including a token in the rendered HTML for your application. This token is
   # stored as a random string in the session, to which an attacker does not have
   # access. When a request reaches your application, \Rails verifies the received
-  # token with the token in the session. Only HTML and JavaScript requests are checked,
-  # so this will not protect your XML API (presumably you'll have a different
-  # authentication scheme there anyway).
+  # token with the token in the session. All requests are checked except GET requests
+  # as these should be idempotent. Keep in mind that all session-oriented requests
+  # should be CSRF protected, including Javascript and HTML requests.
+  #
+  # Since HTML and Javascript requests are typically made from the browser, we
+  # need to ensure to verify request authenticity for the web browser. We can
+  # use session-oriented authentication for these types requests, by using
+  # the `protect_form_forgery` method in our controllers.
   #
   # GET requests are not protected since they don't have side effects like writing
   # to the database and don't leak sensitive information. JavaScript requests are
@@ -26,15 +31,20 @@ module ActionController #:nodoc:
   # Ajax) requests are allowed to make GET requests for JavaScript responses.
   #
   # It's important to remember that XML or JSON requests are also affected and if
-  # you're building an API you'll need something like:
+  # you're building an API you should change forgery protection method in
+  # <tt>ApplicationController</tt> (by default: <tt>:exception</tt>):
   #
   #   class ApplicationController < ActionController::Base
   #     protect_from_forgery unless: -> { request.format.json? }
   #   end
   #
-  # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method,
-  # which checks the token and resets the session if it doesn't match what was expected.
-  # A call to this method is generated for new \Rails applications by default.
+  # CSRF protection is turned on with the <tt>protect_from_forgery</tt> method.
+  # By default <tt>protect_from_forgery</tt> protects your session with
+  # <tt>:null_session</tt> method, which provides an empty session during request
+  #
+  # We may want to disable CSRF protection for APIs since they are typically
+  # designed to be state-less. That is, the requestion API client will handle
+  # the session for you instead of Rails.
   #
   # The token parameter is named <tt>authenticity_token</tt> by default. The name and
   # value of this token must be added to every layout that renders forms by including
diff --git a/actionpack/lib/action_controller/test_case.rb b/actionpack/lib/action_controller/test_case.rb
index 6ffd7a7d2b..33c24999f9 100644
--- a/actionpack/lib/action_controller/test_case.rb
+++ b/actionpack/lib/action_controller/test_case.rb
@@ -659,9 +659,7 @@ module ActionController
         @request.assign_parameters(@routes, controller_class_name, action.to_s, parameters)
 
         @request.session.update(session) if session
-
-        is_request_flash_enabled = @request.respond_to?(:flash)
-        @request.flash.update(flash || {}) if is_request_flash_enabled
+        @request.flash.update(flash || {})
 
         if xhr
           @request.env['HTTP_X_REQUESTED_WITH'] = 'XMLHttpRequest'
@@ -687,8 +685,7 @@ module ActionController
 
         @assigns = @controller.respond_to?(:view_assigns) ? @controller.view_assigns : {}
 
-        flash_value = is_request_flash_enabled ? @request.flash.to_session_value : nil
-        if flash_value
+        if flash_value = @request.flash.to_session_value
           @request.session['flash'] = flash_value
         else
           @request.session.delete('flash')
diff --git a/actionpack/test/controller/force_ssl_test.rb b/actionpack/test/controller/force_ssl_test.rb
index e1e423675f..5639abdc56 100644
--- a/actionpack/test/controller/force_ssl_test.rb
+++ b/actionpack/test/controller/force_ssl_test.rb
@@ -321,29 +321,4 @@ class RedirectToSSLTest < ActionController::TestCase
     assert_response 200
     assert_equal 'ihaz', response.body
   end
-
-  def test_banana_redirects_to_https_if_not_https_and_flash_middleware_is_disabled
-    disable_flash
-    get :banana
-    assert_response 301
-    assert_equal 'https://test.host/redirect_to_ssl/banana', redirect_to_url
-  ensure
-    enable_flash
-  end
-
-  private
-
-  def disable_flash
-    ActionDispatch::TestRequest.class_eval do
-      alias_method :flash_origin, :flash
-      undef_method :flash
-    end
-  end
-
-  def enable_flash
-    ActionDispatch::TestRequest.class_eval do
-      alias_method :flash, :flash_origin
-      undef_method :flash_origin
-    end
-  end
 end