I was reading thru the security guide and working on some basic ajax... I thought it might be worth a mention in the guide that we don't need to set the X-CSRF-Token header when we create an ajax call. It is mentioned, but not very clear. I had to dig into rails<https://github.com/rails/rails/blob/28abd967fcc8544650c73910a8a0cbaa6dafc1f5/actionview/lib/action_view/helpers/csrf_helper.rb>to find what actually happens.
I have created a branch with the following text, added after line 242 in guides/source/security.md If you are using 'jquery-rails' then your ajax calls will automatically > include a 'X-CSRF-Token' HTTP header. The value of this header will match > the 'csrf-token' meta tag in your document head. Rails will reject any > incoming ajax call, if the token is missing or incorrect. Malicious ajax > which executes in the context of a different document will not have access > to the csrf-token meta tag. If this seems like a good addition, I am happy to submit it as a pull request to rails.git -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
