I'm using rails3. It does not seem to check the authenticity_token
when doing a POST using Ajax. I traced this to:
module ActionDispatch
class Request < Rack::Request
.....
def forgery_whitelisted?
get? || xhr? || content_mime_type.nil? || !
content_mime_type.verify_request?
end
end
so you don't check if its a get? or a xhr? (ie ajax request). Is this
correct?
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
