Thanks, that makes sense! On Sep 21, 1:15 pm, Tim Shaffer <[email protected]> wrote: > On Sep 21, 7:43 am, Ft51 <[email protected]> wrote: > > > I'm using rails3. It does not seem to check the authenticity_token > > when doing a POST using Ajax. I traced this to: > > > module ActionDispatch > > class Request < Rack::Request > > ..... > > def forgery_whitelisted? > > get? || xhr? || content_mime_type.nil? || ! > > content_mime_type.verify_request? > > end > > end > > > so you don't check if its a get? or a xhr? (ie ajax request). Is this > > correct? > > Seems correct to me: > GET requests shouldn't be doing anything where it matters if the > request is coming from another domain. > XHR requests don't support cross-domain calls. So you don't have to > worry about it coming from another domain.
-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
