@@ -7,6 +7,8 @@ * Fixed that redirection would just log the options, not the final url (which lead to "Redirected to #<Post:0x23150b8>") [DHH] +* Don't check authenticity tokens for any AJAX requests [Ross Kaffenberger/Bryan Helmkamp] + * Added ability to pass in :public => true to fresh_when, stale?, and expires_in to make the request proxy cachable #2095 [Gregg Pollack] * Fixed that passing a custom form builder would be forwarded to nested fields_for calls #2023 [Eloy Duran/Nate Wiger] actionpack/CHANGELOG @@ -81,12 +81,13 @@ module ActionController #:nodoc: # Returns true or false if a request is verified. Checks: # - # * is the format restricted? By default, only HTML and AJAX requests are checked. + # * is the format restricted? By default, only HTML requests are checked. # * is it a GET request? Gets should be safe and idempotent # * Does the form_authenticity_token match the given token value from the params? def verified_request? !protect_against_forgery? || request.method == :get || + request.xhr? || !verifiable_request_format? || form_authenticity_token == params[request_forgery_protection_token] end actionpack/lib/action_controller/base/request_forgery_protection.rb @@ -151,14 +151,10 @@ module RequestForgeryProtectionTests delete :index, :format => 'xml' end end - + def test_should_allow_xhr_post_without_token assert_nothing_raised { xhr :post, :index } end - def test_should_not_allow_xhr_post_with_html_without_token - @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s - assert_raise(ActionController::InvalidAuthenticityToken) { xhr :post, :index } - end def test_should_allow_xhr_put_without_token assert_nothing_raised { xhr :put, :index } @@ -168,6 +164,11 @@ module RequestForgeryProtectionTests assert_nothing_raised { xhr :delete, :index } end + def test_should_allow_xhr_post_with_encoded_form_content_type_without_token + @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s + assert_nothing_raised { xhr :post, :index } + end + def test_should_allow_post_with_token post :index, :authenticity_token => @token assert_response :success actionpack/test/controller/request_forgery_protection_test.rb 3c1187699a80e0c4a003f5693389595cd644390f Ross Kaffenburger and Bryan Helmkamp developers@weplay.com http://github.com/rails/rails/commit/256b0ee8e3c1610967dfc89f864e24b98ed3c236 256b0ee8e3c1610967dfc89f864e24b98ed3c236 2009-04-15T16:04:21-07:00 2009-03-04T13:05:15-08:00 Don't check authenticity tokens for any AJAX requests 057ef8c74d5aeaf964dd7a1743359a758c1bbf7a Carl Lerche & Yehuda Katz wycats@gmail.com