Browse files

Added request.head? to forgery protection code

  • Loading branch information...
1 parent 64245e0 commit 2ef138f0d49e92550bb74a103df7ce5074b18241 @michiels michiels committed Jan 22, 2013
Showing with 2 additions and 2 deletions.
  1. +2 −2 actionpack/lib/action_controller/metal/request_forgery_protection.rb
View
4 actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -162,11 +162,11 @@ def verify_authenticity_token
# Returns true or false if a request is verified. Checks:
#
- # * is it a GET request? Gets should be safe and idempotent
+ # * is it a GET or HEAD request? Gets should be safe and idempotent
# * Does the form_authenticity_token match the given token value from the params?
# * Does the X-CSRF-Token header match the form_authenticity_token
def verified_request?
- !protect_against_forgery? || request.get? ||
+ !protect_against_forgery? || request.get? || request.head? ||
form_authenticity_token == params[request_forgery_protection_token] ||
form_authenticity_token == request.headers['X-CSRF-Token']
end

0 comments on commit 2ef138f

Please sign in to comment.