You're better of disabling forgery protection in the presence of some form of valid token authentication, not by method or request format.
So if the request is to be authenticated with a token/some form of API authentication, disable session and disable forgery protection, otherwise require it. — Ivan On 05/01/2012, at 1:03 PM, Paul Annesley wrote: > > On 05/01/2012, at 12:48 PM, 2potatocakes wrote: > >> I've just added this to my application controller and it seems to be >> working ok for what I need now though. >> >> before_filter(:except => [:index, :show]) do |controller| >> protect_from_forgery unless controller.request.format.xml? >> end > > This could leave you open to CSRF attacks that have ".xml" appended to the > target URL. > It's certainly a big improvement on no protection at all, though. > > -- Paul > > -- > You received this message because you are subscribed to the Google Groups > "Ruby or Rails Oceania" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rails-oceania?hl=en. > -- You received this message because you are subscribed to the Google Groups "Ruby or Rails Oceania" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rails-oceania?hl=en.
