aboutsummaryrefslogtreecommitdiffstats
path: root/actionview/lib/action_view/helpers/csrf_helper.rb
diff options
context:
space:
mode:
Diffstat (limited to 'actionview/lib/action_view/helpers/csrf_helper.rb')
-rw-r--r--actionview/lib/action_view/helpers/csrf_helper.rb33
1 files changed, 33 insertions, 0 deletions
diff --git a/actionview/lib/action_view/helpers/csrf_helper.rb b/actionview/lib/action_view/helpers/csrf_helper.rb
new file mode 100644
index 0000000000..5af92c4ff2
--- /dev/null
+++ b/actionview/lib/action_view/helpers/csrf_helper.rb
@@ -0,0 +1,33 @@
+module ActionView
+ # = Action View CSRF Helper
+ module Helpers
+ module CsrfHelper
+ # Returns meta tags "csrf-param" and "csrf-token" with the name of the cross-site
+ # request forgery protection parameter and token, respectively.
+ #
+ # <head>
+ # <%= csrf_meta_tags %>
+ # </head>
+ #
+ # These are used to generate the dynamic forms that implement non-remote links with
+ # <tt>:method</tt>.
+ #
+ # You don't need to use these tags for regular forms as they generate their own hidden fields.
+ #
+ # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
+ # "X-CSRF-Token" HTTP header. If you are using jQuery with jquery-rails this happens automatically.
+ #
+ def csrf_meta_tags
+ if protect_against_forgery?
+ [
+ tag('meta', :name => 'csrf-param', :content => request_forgery_protection_token),
+ tag('meta', :name => 'csrf-token', :content => form_authenticity_token)
+ ].join("\n").html_safe
+ end
+ end
+
+ # For backwards compatibility.
+ alias csrf_meta_tag csrf_meta_tags
+ end
+ end
+end
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-18 23:14:12 +0000