Skip to content
Browse files

copy edits [ci skip]

  • Loading branch information...
1 parent 4f031c8 commit 903a9d51c0f736de3d5a82334190abe04f79b037 @vijaydev vijaydev committed May 27, 2012
Showing with 3 additions and 3 deletions.
  1. +3 −3 guides/source/security.textile
View
6 guides/source/security.textile
@@ -240,12 +240,12 @@ It is common to use persistent cookies to store user information, with +cookies.
<ruby>
def handle_unverified_request
- super
- sign_out_user # Example method that will destroy the user cookies.
+ super
+ sign_out_user # Example method that will destroy the user cookies.
end
</ruby>
-The above method could be placed in the +ApplicationController+ and will be called when a CSRF token is not present on a POST request.
+The above method can be placed in the +ApplicationController+ and will be called when a CSRF token is not present on a non-GET request.
Note that _(highlight)cross-site scripting (XSS) vulnerabilities bypass all CSRF protections_. XSS gives the attacker access to all elements on a page, so he can read the CSRF security token from a form or directly submit the form. Read <a href="#cross-site-scripting-xss">more about XSS</a> later.

1 comment on commit 903a9d5

@erichmenge

Sorry to make you work harder @vijaydev . I double checked what I wrote but sometimes the things one writes looks okay on a second or third pass even though they aren't :)

Please sign in to comment.
Something went wrong with that request. Please try again.