Michiel Sikkes
2013-Jan-23 08:45 UTC
Here is a Pull Request that fixes that HEAD requests are broken for CSRF protection
Hello everyone, I have been running a Rails 4 app in semi-production for a few weeks now and I noticed exceptions being raised when a crawler or bot did a HEAD request against normal URLs (like the frontpage). I tracked this down and it seems that with the replacement of ActionDispatch::Head by Rack::Head, HEAD requests aren''t translated to GET requests any longer. I have no idea what the correct solution is because I don''t know the reason why AD::Head was replaced by Rack::Head, but I created a pull request that adds request.head? as valid request to valid_request? for CSRF protection code: https://github.com/rails/rails/pull/9032 However, I would guess that there was a bigger reason why HEADs where translated to GET by AD::Head so we might need a different solution. What does everyone think? Michiel -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To view this discussion on the web visit https://groups.google.com/d/msg/rubyonrails-core/-/CTBMkYAuuuIJ. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.