Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
BACKWARDS-INCOMPATIBLE: Fix XSRF security vulnerability.
This is a backwards-incompatible change. Applications that previously relied on a blanket exception for XMLHTTPRequest may need to be modified to explicitly include the XSRF token when making ajax requests. The tornado chat demo application demonstrates one way of adding this token (specifically the function postJSON in demos/chat/static/chat.js). More information about this change and its justification can be found at http://www.djangoproject.com/weblog/2011/feb/08/security/ http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails Closes tornadoweb#214.
- Loading branch information