From f7d81c924fd498ae6fd1852070db0553a10b0c41 Mon Sep 17 00:00:00 2001
From: Andrey Nering <andrey.nering@gmail.com>
Date: Fri, 19 Dec 2014 21:51:51 -0200
Subject: Add note about Ajax and CSRF-Token [ci skip]

---
 guides/source/security.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'guides/source/security.md')

diff --git a/guides/source/security.md b/guides/source/security.md
index b3869b1ba5..32890e0606 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -237,7 +237,7 @@ Or the attacker places the code into the onmouseover event handler of an image:
 <img src="http://www.harmless.com/img" width="400" height="400" onmouseover="..." />
 ```
 
-There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow cross-site `<script>` tags. Only Ajax requests may have JavaScript responses since XmlHttpRequest is subject to the browser Same-Origin policy - meaning only your site can initiate the request.
+There are many other possibilities, like using a `<script>` tag to make a cross-site request to a URL with a JSONP or JavaScript response. The response is executable code that the attacker can find a way to run, possibly extracting sensitive data. To protect against this data leakage, we disallow cross-site `<script>` tags. Only Ajax requests may have JavaScript responses since `XMLHttpRequest` is subject to the browser Same-Origin policy - meaning only your site can initiate the request.
 
 To protect against all other forged requests, we introduce a _required security token_ that our site knows but other sites don't know. We include the security token in requests and verify it on the server. This is a one-liner in your application controller, and is the default for newly created rails applications:
 
@@ -247,6 +247,13 @@ protect_from_forgery with: :exception
 
 This will automatically include a security token in all forms and Ajax requests generated by Rails. If the security token doesn't match what was expected, an exception will be thrown.
 
+NOTE: By default, Rails includes jQuery and a [unobtrusive scripting adapter for jQuery](https://github.com/rails/jquery-ujs),
+which adds a header called `X-CSRF-Token` on every non-GET Ajax call made by jQuery with the security token.
+Without this header, your non-GET requests won't be accepted by Rails. If you want to use another library
+to make Ajax calls, you will have to find how add the security token as a default header for Ajax calls in
+your library. To get the token have a look at the `<meta name='csrf-token' content='THE-TOKEN'>` tag printed
+by `<%= csrf_meta_tags %>` in your application view.
+
 It is common to use persistent cookies to store user information, with `cookies.permanent` for example. In this case, the cookies will not be cleared and the out of the box CSRF protection will not be effective. If you are using a different cookie store than the session for this information, you must handle what to do with it yourself:
 
 ```ruby
-- 
cgit v1.2.3