Permalink
Browse files

Document the CSRF whitelisting on get requests

  • Loading branch information...
1 parent 5907b0b commit 39856627e0e3d50db4eb400bdfaca3bc0958d211 @danielvlopes danielvlopes committed Jun 7, 2012
Showing with 16 additions and 5 deletions.
  1. +16 −5 actionpack/lib/action_controller/metal/request_forgery_protection.rb
View
21 actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -8,11 +8,22 @@ class InvalidAuthenticityToken < ActionControllerError #:nodoc:
# Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks
# by including a token in the rendered html for your application. This token is
# stored as a random string in the session, to which an attacker does not have
- # access. When a request reaches your application, \Rails verifies the received
- # token with the token in the session. Only HTML and JavaScript requests are checked,
- # so this will not protect your XML API (presumably you'll have a different
- # authentication scheme there anyway). Also, GET requests are not protected as these
- # should be idempotent.
+ # access. When a request reaches your application, Rails verifies the received
+ # token with the token in the session. All requests are checked except GET requests
+ # as these should be idempotent. It's is important to remember that XML or JSON
+ # requests are also affected and if you're building an API you'll need
+ # something like that:
+ #
+ # class ApplicationController < ActionController::Base
+ # protect_from_forgery
+ # skip_before_filter :verify_authenticity_token, :if => json_request?
+ #
+ # protected
+ #
+ # def json_request?
+ # request.format.json?
+ # end
+ # end
#
# CSRF protection is turned on with the <tt>protect_from_forgery</tt> method,
# which checks the token and resets the session if it doesn't match what was expected.

0 comments on commit 3985662

Please sign in to comment.