@@ -25,7 +25,7 @@ module Mime # These are the content types which browsers can generate without using ajax, flash, etc # i.e. following a link, getting an image or posting a form. CSRF protection # only needs to protect against these types. - @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form] + @@browser_generated_types = Set.new [:html, :url_encoded_form, :multipart_form, :text] cattr_reader :browser_generated_types @@ -177,7 +177,7 @@ module Mime end # Returns true if Action Pack should check requests using this Mime Type for possible request forgery. See - # ActionController::RequestForgerProtection. + # ActionController::RequestForgeryProtection. def verify_request? browser_generated? end actionpack/lib/action_controller/mime_type.rb 2530d0eea8eaecd2c61f99225f050ff47973e9a0 Michael Koziarski michael@koziarski.com http://github.com/rails/rails/commit/8c197fb4ab4fa432a6e9421e0339a17a7ec296f1 8c197fb4ab4fa432a6e9421e0339a17a7ec296f1 2008-11-16T11:24:46-08:00 2008-11-16T11:19:02-08:00 Add text/plain to the browser_generated_types array as webkit and gecko can submit them. For more information see: http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/ 5efbb2355fa3a461d75e18139cfbb429b75eb012 Michael Koziarski michael@koziarski.com