I was reading thru the security guide and working on some basic ajax... I
thought it might be worth a mention in the guide that we don't need to set
the X-CSRF-Token header when we create an ajax call. It is mentioned, but
not very clear. I had to dig into
rails<https://github.com/rails/rails/blob/28abd967fcc8544650c73910a8a0cbaa6dafc1f5/actionview/lib/action_view/helpers/csrf_helper.rb>to
find what actually happens.
I have created a branch with the following text, added after line 242 in
guides/source/security.md
If you are using 'jquery-rails' then your ajax calls will automatically
> include a 'X-CSRF-Token' HTTP header. The value of this header will
match
> the 'csrf-token' meta tag in your document head. Rails will reject
any
> incoming ajax call, if the token is missing or incorrect. Malicious ajax
> which executes in the context of a different document will not have access
> to the csrf-token meta tag.
If this seems like a good addition, I am happy to submit it as a pull
request to rails.git
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to rubyonrails-core+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-core@googlegroups.com.
Visit this group at http://groups.google.com/group/rubyonrails-core.
For more options, visit https://groups.google.com/groups/opt_out.