I think his point is that jquery-ujs appends the CSRF token to all AJAX requests that use jQuery's `$.ajax()` and derivative methods, even when not using remote=true links and forms. I.e. when using a custom AJAX request within a Rails page that includes jquery-ujs, you don't need to worry about appending the CSRF token.
Along those lines, I'd say the addition looks good to me. I'd make it more concise and clearer that you're referring to all jQuery AJAX requests outside of those using jquery-ujs. Something like: > If you are using 'jquery-rails', all jQuery AJAX calls ($.ajax, $.get, > $.post, $.getJSON, etc) will automatically include the 'X-CSRF-Token' HTTP > header from the CSRF token meta tag in your document head." -- Steve Schwartz On Thursday, February 20, 2014 at 8:41 AM, Mohamed Wael Khobalatte wrote: > It's not needed *only* if you use jquery-rails, which is already well put in > the docs. I am not sure I understood your issue. > > > On Wed, Feb 19, 2014 at 6:23 PM, Mike Gell <[email protected] > (mailto:[email protected])> wrote: > > I was reading thru the security guide and working on some basic ajax... I > > thought it might be worth a mention in the guide that we don't need to set > > the X-CSRF-Token header when we create an ajax call. It is mentioned, but > > not very clear. I had to dig into rails > > (https://github.com/rails/rails/blob/28abd967fcc8544650c73910a8a0cbaa6dafc1f5/actionview/lib/action_view/helpers/csrf_helper.rb) > > to find what actually happens. > > > > I have created a branch with the following text, added after line 242 in > > guides/source/security.md (http://security.md) > > > > > If you are using 'jquery-rails' then your ajax calls will automatically > > > include a 'X-CSRF-Token' HTTP header. The value of this header will match > > > the 'csrf-token' meta tag in your document head. Rails will reject any > > > incoming ajax call, if the token is missing or incorrect. Malicious ajax > > > which executes in the context of a different document will not have > > > access to the csrf-token meta tag. > > > > If this seems like a good addition, I am happy to submit it as a pull > > request to rails.git > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Ruby on Rails: Core" group. > > To unsubscribe from this group and stop receiving emails from it, send an > > email to [email protected] > > (mailto:rubyonrails-core%[email protected]). > > To post to this group, send email to [email protected] > > (mailto:[email protected]). > > Visit this group at http://groups.google.com/group/rubyonrails-core. > > For more options, visit https://groups.google.com/groups/opt_out. > > > > -- > Mohamed Wael Khobalatte > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > (mailto:[email protected]). > To post to this group, send email to [email protected] > (mailto:[email protected]). > Visit this group at http://groups.google.com/group/rubyonrails-core. > For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
