From 6efc5bf4044a44bd8b207fc3197195f1a38c55db Mon Sep 17 00:00:00 2001
From: Vijay Dev <vijaydev.cse@gmail.com>
Date: Thu, 14 Jun 2012 22:37:17 +0530
Subject: copy editing [ci skip]

---
 .../lib/action_controller/metal/request_forgery_protection.rb | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
index 736f70af4c..53534c0307 100644
--- a/actionpack/lib/action_controller/metal/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -9,10 +9,13 @@ module ActionController #:nodoc:
   # by including a token in the rendered html for your application. This token is
   # stored as a random string in the session, to which an attacker does not have
   # access. When a request reaches your application, \Rails verifies the received
-  # token with the token in the session. All requests are checked except GET requests
-  # as these should be idempotent. It's important to remember that XML or JSON
-  # requests are also affected and if you're building an API you'll need
-  # something like that:
+  # token with the token in the session. Only HTML and JavaScript requests are checked,
+  # so this will not protect your XML API (presumably you'll have a different
+  # authentication scheme there anyway). Also, GET requests are not protected as these
+  # should be idempotent.
+  #
+  # It's important to remember that XML or JSON requests are also affected and if
+  # you're building an API you'll need something like:
   #
   #   class ApplicationController < ActionController::Base
   #     protect_from_forgery
-- 
cgit v1.2.3