From 4f4fdd643f9d19fbbeeec3ac77674f791c9beffa Mon Sep 17 00:00:00 2001
From: Jeremy Kemper <jeremy@bitsweat.net>
Date: Tue, 17 Dec 2013 16:02:04 -0700
Subject: Clearly limit new CSRF protection to GET requests

---
 .../lib/action_controller/metal/request_forgery_protection.rb    | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'actionpack/lib/action_controller')

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 8cdb9a7655..c88074d4c6 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -190,7 +190,7 @@ module ActionController #:nodoc:
       # verify that JavaScript responses are for XHR requests, ensuring they
       # follow the browser's same-origin policy.
       def verify_authenticity_token
-        @marked_for_same_origin_verification = true
+        mark_for_same_origin_verification!
 
         if !verified_request?
           logger.warn "Can't verify CSRF token authenticity" if logger
@@ -218,10 +218,15 @@ module ActionController #:nodoc:
         end
       end
 
+      # GET requests are checked for cross-origin JavaScript after rendering.
+      def mark_for_same_origin_verification!
+        @marked_for_same_origin_verification = request.get?
+      end
+
       # If the `verify_authenticity_token` before_action ran, verify that
       # JavaScript responses are only served to same-origin GET requests.
       def marked_for_same_origin_verification?
-        defined? @marked_for_same_origin_verification
+        @marked_for_same_origin_verification ||= false
       end
 
       # Check for cross-origin JavaScript responses.
-- 
cgit v1.2.3