Improved explanation of the <script> tag CSRF behavior

[designgrill]

Fixes #21547

This change clarifies that any js response -

• generated through controllers; and
• is not for an ajax request

will get blocked due to CSRF protection. This behavior is default irrespective of whether the <script> tag is remote or one of your own.

[rails-bot]

Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @eileencodes (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

[eileencodes]

Thanks for the PR! In the future when you do documentation PR's can you add [ci skip] to your commit message so travis doesn't run?

[jeremy]

Good point that the docs aren't pointed enough about this. The update drains a bit of clarity from the purpose of the CSRF script protection, though. Addressed that in 4d77e02

[designgrill]

@eileencodes Sure, will keep that in mind next time.

@jeremy Thanks for adding your magic in there. The notes are a better idea.