New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document Request.js in the guides [ci-skip] #47365
Conversation
4a6e5f9
to
c82ce11
Compare
When using another library to make Ajax calls, it is necessary to add the | ||
security token as a default header for Ajax calls in your library. To get the | ||
token, have a look at <meta name='csrf-token' content='THE-TOKEN'> tag printed | ||
by <%= csrf_meta_tags %> in your application view. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think users should be copy/pasting the output of csrf_meta_tags
in their code as it will break the next time the secret changes.
I'm not sure the right approach is here though off the top of my head.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
document.head.querySelector("meta[name=csrf-token]")?.content
does the trick (adapted from here)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @bdewater !
I copied the original text from the security guide. I'll change it there as well.
9706dd2
to
e3d5472
Compare
With the removal of UJS as a default dependency, it can be unclear what to use for Ajax calls. The Rails Request.js is the official library to use in this case, so it should be documented in the guides.
e3d5472
to
83574a7
Compare
@@ -300,3 +301,43 @@ added to the form that the `button_to` helper renders internally: | |||
```erb | |||
<%= button_to "Delete post", post, method: :delete, form: { data: { turbo_confirm: "Are you sure?" } } %> | |||
``` | |||
|
|||
### Ajax Requests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about a link to the security doc with more detail on CSRF?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will follow up on this after.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the removal of UJS as a default dependency, it can be unclear what to use for Ajax calls. The Rails Request.js is the official library to use in this case, so it should be documented in the guides.
Checklist
Before submitting the PR make sure the following are checked:
[Fix #issue-number]