Browse files

Merge pull request #11770 from timruffles/doc_ajax_xhr

be more specific about csrf token and ajax - not whitelisted outside of jquery-rails [ci skip]
  • Loading branch information...
1 parent 3469cee commit d5e684f1a7a7d8c60d413651ae316ebd5ab2c9c4 @senny senny committed Feb 3, 2014
Showing with 4 additions and 2 deletions.
  1. +4 −2 actionpack/lib/action_view/helpers/csrf_helper.rb
6 actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -12,8 +12,10 @@ module CsrfHelper
# These are used to generate the dynamic forms that implement non-remote links with
# <tt>:method</tt>.
- # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
- # so they do not use these tags.
+ # You don't need to use these tags for regular forms as they generate their own hidden fields.
+ #
+ # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
+ # "X-CSRF-Token" HTTP header. If you are using jQuery with jquery-rails this happens automatically.
def csrf_meta_tags
if protect_against_forgery?

0 comments on commit d5e684f

Please sign in to comment.