I have a route setup for CORS in a Sinatra App. The block is called with XHR but the call is rejected with the warning:
attack prevented by Rack::Protection::JsonCsrf
How does one structure an Ajax call to not trigger this protection on a route with CORS?
I had to explicitly turn off this protection for all my routes, something probably less than ideal :).
No, if your API is not session protected, turning off this protection is fine.
xhr requests cannot be used for the json attack, fixes #39