From 39856627e0e3d50db4eb400bdfaca3bc0958d211 Mon Sep 17 00:00:00 2001 From: Daniel Lopes Date: Thu, 7 Jun 2012 15:19:49 -0300 Subject: Document the CSRF whitelisting on get requests --- .../metal/request_forgery_protection.rb | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 95b0e99ed5..eb7057d278 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -8,11 +8,22 @@ module ActionController #:nodoc: # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks # by including a token in the rendered html for your application. This token is # stored as a random string in the session, to which an attacker does not have - # access. When a request reaches your application, \Rails verifies the received - # token with the token in the session. Only HTML and JavaScript requests are checked, - # so this will not protect your XML API (presumably you'll have a different - # authentication scheme there anyway). Also, GET requests are not protected as these - # should be idempotent. + # access. When a request reaches your application, Rails verifies the received + # token with the token in the session. All requests are checked except GET requests + # as these should be idempotent. It's is important to remember that XML or JSON + # requests are also affected and if you're building an API you'll need + # something like that: + # + # class ApplicationController < ActionController::Base + # protect_from_forgery + # skip_before_filter :verify_authenticity_token, :if => json_request? + # + # protected + # + # def json_request? + # request.format.json? + # end + # end # # CSRF protection is turned on with the protect_from_forgery method, # which checks the token and resets the session if it doesn't match what was expected. -- cgit v1.2.3