On Sep 21, 7:43 am, Ft51 <[email protected]> wrote: > I'm using rails3. It does not seem to check the authenticity_token > when doing a POST using Ajax. I traced this to: > > module ActionDispatch > class Request < Rack::Request > ..... > def forgery_whitelisted? > get? || xhr? || content_mime_type.nil? || ! > content_mime_type.verify_request? > end > end > > so you don't check if its a get? or a xhr? (ie ajax request). Is this > correct?
Seems correct to me: GET requests shouldn't be doing anything where it matters if the request is coming from another domain. XHR requests don't support cross-domain calls. So you don't have to worry about it coming from another domain. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
