On 05/01/2012, at 12:48 PM, 2potatocakes wrote: > I've just added this to my application controller and it seems to be > working ok for what I need now though. > > before_filter(:except => [:index, :show]) do |controller| > protect_from_forgery unless controller.request.format.xml? > end
This could leave you open to CSRF attacks that have ".xml" appended to the target URL. It's certainly a big improvement on no protection at all, though. -- Paul -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
