Skip to content

Commit 523f3ba

Browse files
Ross Kaffenburger and Bryan Helmkamplifo
authored andcommitted
Don't check authenticity tokens for any AJAX requests
1 parent 60122e8 commit 523f3ba

File tree

3 files changed

+10
-6
lines changed

3 files changed

+10
-6
lines changed

actionpack/CHANGELOG

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@
77

88
* Fixed that redirection would just log the options, not the final url (which lead to "Redirected to #<Post:0x23150b8>") [DHH]
99

10+
* Don't check authenticity tokens for any AJAX requests [Ross Kaffenberger/Bryan Helmkamp]
11+
1012
* Added ability to pass in :public => true to fresh_when, stale?, and expires_in to make the request proxy cachable #2095 [Gregg Pollack]
1113

1214
* Fixed that passing a custom form builder would be forwarded to nested fields_for calls #2023 [Eloy Duran/Nate Wiger]

actionpack/lib/action_controller/request_forgery_protection.rb

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,12 +81,13 @@ def verify_authenticity_token
8181

8282
# Returns true or false if a request is verified. Checks:
8383
#
84-
# * is the format restricted? By default, only HTML and AJAX requests are checked.
84+
# * is the format restricted? By default, only HTML requests are checked.
8585
# * is it a GET request? Gets should be safe and idempotent
8686
# * Does the form_authenticity_token match the given token value from the params?
8787
def verified_request?
8888
!protect_against_forgery? ||
8989
request.method == :get ||
90+
request.xhr? ||
9091
!verifiable_request_format? ||
9192
form_authenticity_token == params[request_forgery_protection_token]
9293
end

actionpack/test/controller/request_forgery_protection_test.rb

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -151,14 +151,10 @@ def test_should_not_allow_api_formatted_delete_sent_as_multipart_form_without_to
151151
delete :index, :format => 'xml'
152152
end
153153
end
154-
154+
155155
def test_should_allow_xhr_post_without_token
156156
assert_nothing_raised { xhr :post, :index }
157157
end
158-
def test_should_not_allow_xhr_post_with_html_without_token
159-
@request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
160-
assert_raise(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
161-
end
162158

163159
def test_should_allow_xhr_put_without_token
164160
assert_nothing_raised { xhr :put, :index }
@@ -168,6 +164,11 @@ def test_should_allow_xhr_delete_without_token
168164
assert_nothing_raised { xhr :delete, :index }
169165
end
170166

167+
def test_should_allow_xhr_post_with_encoded_form_content_type_without_token
168+
@request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
169+
assert_nothing_raised { xhr :post, :index }
170+
end
171+
171172
def test_should_allow_post_with_token
172173
post :index, :authenticity_token => @token
173174
assert_response :success

0 commit comments

Comments
 (0)