From 08525e3ef172873a5fa525b27f445012d9e226c3 Mon Sep 17 00:00:00 2001
From: Tim Ruffles <timruffles@googlemail.com>
Date: Fri, 26 Jul 2013 16:47:18 +0100
Subject: be more specific about csrf token and ajax - not whitelisted outside
 of jquery-rails [ci skip]

---
 actionview/lib/action_view/helpers/csrf_helper.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'actionview/lib/action_view/helpers/csrf_helper.rb')

diff --git a/actionview/lib/action_view/helpers/csrf_helper.rb b/actionview/lib/action_view/helpers/csrf_helper.rb
index eeb0ed94b9..5af92c4ff2 100644
--- a/actionview/lib/action_view/helpers/csrf_helper.rb
+++ b/actionview/lib/action_view/helpers/csrf_helper.rb
@@ -12,8 +12,11 @@ module ActionView
       # These are used to generate the dynamic forms that implement non-remote links with
       # <tt>:method</tt>.
       #
-      # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
-      # so they do not use these tags.
+      # You don't need to use these tags for regular forms as they generate their own hidden fields.
+      #
+      # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the 
+      # "X-CSRF-Token" HTTP header. If you are using jQuery with jquery-rails this happens automatically.
+      #
       def csrf_meta_tags
         if protect_against_forgery?
           [
-- 
cgit v1.2.3