From 6efc5bf4044a44bd8b207fc3197195f1a38c55db Mon Sep 17 00:00:00 2001 From: Vijay Dev Date: Thu, 14 Jun 2012 22:37:17 +0530 Subject: copy editing [ci skip] --- .../lib/action_controller/metal/request_forgery_protection.rb | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'actionpack/lib/action_controller/metal') diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb index 736f70af4c..53534c0307 100644 --- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb +++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb @@ -9,10 +9,13 @@ module ActionController #:nodoc: # by including a token in the rendered html for your application. This token is # stored as a random string in the session, to which an attacker does not have # access. When a request reaches your application, \Rails verifies the received - # token with the token in the session. All requests are checked except GET requests - # as these should be idempotent. It's important to remember that XML or JSON - # requests are also affected and if you're building an API you'll need - # something like that: + # token with the token in the session. Only HTML and JavaScript requests are checked, + # so this will not protect your XML API (presumably you'll have a different + # authentication scheme there anyway). Also, GET requests are not protected as these + # should be idempotent. + # + # It's important to remember that XML or JSON requests are also affected and if + # you're building an API you'll need something like: # # class ApplicationController < ActionController::Base # protect_from_forgery -- cgit v1.2.3