From e1ebf146b56a80395ed9e6d100bdb403921ada38 Mon Sep 17 00:00:00 2001 From: Zachary Scott Date: Sun, 12 Apr 2015 21:56:01 -0700 Subject: Apply comments from @jeremy regarding why HTML and Javascript requests specifically are checked for CSRF, when dealing with the browser. [ci skip] --- actionpack/lib/action_controller/metal/request_forgery_protection.rb | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index a9d38b6660..b6c613849b 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -17,6 +17,11 @@ module ActionController #:nodoc: # as these should be idempotent. Keep in mind that all session-oriented requests # should be CSRF protected, including Javascript and HTML requests. # + # Since HTML and Javascript requests are typically made from the browser, we + # need to ensure to verify request authenticity for the web browser. We can + # use session-oriented authentication for these types requests, by using + # the `protect_form_forgery` method in our controllers. + # # GET requests are not protected since they don't have side effects like writing # to the database and don't leak sensitive information. JavaScript requests are # an exception: a third-party site can use a