It's not needed *only* if you use jquery-rails, which is already well put in the docs. I am not sure I understood your issue.
On Wed, Feb 19, 2014 at 6:23 PM, Mike Gell <[email protected]> wrote: > I was reading thru the security guide and working on some basic ajax... I > thought it might be worth a mention in the guide that we don't need to set > the X-CSRF-Token header when we create an ajax call. It is mentioned, but > not very clear. I had to dig into > rails<https://github.com/rails/rails/blob/28abd967fcc8544650c73910a8a0cbaa6dafc1f5/actionview/lib/action_view/helpers/csrf_helper.rb>to > find what actually happens. > > I have created a branch with the following text, added after line 242 in > guides/source/security.md > > If you are using 'jquery-rails' then your ajax calls will automatically >> include a 'X-CSRF-Token' HTTP header. The value of this header will match >> the 'csrf-token' meta tag in your document head. Rails will reject any >> incoming ajax call, if the token is missing or incorrect. Malicious ajax >> which executes in the context of a different document will not have access >> to the csrf-token meta tag. > > > If this seems like a good addition, I am happy to submit it as a pull > request to rails.git > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. > -- Mohamed Wael Khobalatte -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
