From 256b0ee8e3c1610967dfc89f864e24b98ed3c236 Mon Sep 17 00:00:00 2001
From: Ross Kaffenburger and Bryan Helmkamp <developers@weplay.com>
Date: Wed, 4 Mar 2009 16:05:15 -0500
Subject: Don't check authenticity tokens for any AJAX requests

---
 actionpack/lib/action_controller/base/request_forgery_protection.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'actionpack/lib/action_controller/base')

diff --git a/actionpack/lib/action_controller/base/request_forgery_protection.rb b/actionpack/lib/action_controller/base/request_forgery_protection.rb
index f3e6288c26..3067122ceb 100644
--- a/actionpack/lib/action_controller/base/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/base/request_forgery_protection.rb
@@ -81,12 +81,13 @@ module ActionController #:nodoc:
       
       # Returns true or false if a request is verified.  Checks:
       #
-      # * is the format restricted?  By default, only HTML and AJAX requests are checked.
+      # * is the format restricted?  By default, only HTML requests are checked.
       # * is it a GET request?  Gets should be safe and idempotent
       # * Does the form_authenticity_token match the given token value from the params?
       def verified_request?
         !protect_against_forgery?     ||
           request.method == :get      ||
+          request.xhr?                ||
           !verifiable_request_format? ||
           form_authenticity_token == params[request_forgery_protection_token]
       end
-- 
cgit v1.2.3