Permalink
Browse files

Merge pull request #11770 from timruffles/doc_ajax_xhr

be more specific about csrf token and ajax - not whitelisted outside of jquery-rails [ci skip]
  • Loading branch information...
2 parents dd493d3 + 08525e3 commit 28abd967fcc8544650c73910a8a0cbaa6dafc1f5 @senny senny committed Feb 3, 2014
Showing with 5 additions and 2 deletions.
  1. +5 −2 actionview/lib/action_view/helpers/csrf_helper.rb
@@ -12,8 +12,11 @@ module CsrfHelper
# These are used to generate the dynamic forms that implement non-remote links with
# <tt>:method</tt>.
#
- # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
- # so they do not use these tags.
+ # You don't need to use these tags for regular forms as they generate their own hidden fields.
+ #
+ # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
+ # "X-CSRF-Token" HTTP header. If you are using jQuery with jquery-rails this happens automatically.
+ #
def csrf_meta_tags
if protect_against_forgery?
[

0 comments on commit 28abd96

Please sign in to comment.