Merge pull request #11770 from timruffles/doc_ajax_xhr

be more specific about csrf token and ajax - not whitelisted outside of jquery-rails [ci skip]
rails · Feb 3, 2014 · d5e684f · d5e684f
1 parent 3469cee
commit d5e684f
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/actionpack/lib/action_view/helpers/csrf_helper.rb b/actionpack/lib/action_view/helpers/csrf_helper.rb
@@ -12,8 +12,10 @@ module CsrfHelper
       # These are used to generate the dynamic forms that implement non-remote links with
       # <tt>:method</tt>.
       #
-      # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
+      # You don't need to use these tags for regular forms as they generate their own hidden fields.
-      # so they do not use these tags.
+      #
+      # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the
+      # "X-CSRF-Token" HTTP header. If you are using jQuery with jquery-rails this happens automatically.
       def csrf_meta_tags
         if protect_against_forgery?
           [