Don't check authenticity tokens for any AJAX requests

2022-11-09 12:12:34 -05:00 · 2009-03-04 16:05:15 -05:00 · 2009-03-04 16:05:15 -05:00 · 256b0ee8e3
commit 256b0ee8e3
parent 3c1187699a
3 changed files with 10 additions and 6 deletions
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@ -7,6 +7,8 @@

 * Fixed that redirection would just log the options, not the final url (which lead to "Redirected to #<Post:0x23150b8>") [DHH]

+* Don't check authenticity tokens for any AJAX requests [Ross Kaffenberger/Bryan Helmkamp]
+
 * Added ability to pass in :public => true to fresh_when, stale?, and expires_in to make the request proxy cachable #2095 [Gregg Pollack]

 * Fixed that passing a custom form builder would be forwarded to nested fields_for calls #2023 [Eloy Duran/Nate Wiger]
--- a/actionpack/lib/action_controller/base/request_forgery_protection.rb
+++ b/actionpack/lib/action_controller/base/request_forgery_protection.rb
@ -81,12 +81,13 @@ module ActionController #:nodoc:
      
      # Returns true or false if a request is verified.  Checks:
      #
-      # * is the format restricted?  By default, only HTML and AJAX requests are checked.
+      # * is the format restricted?  By default, only HTML requests are checked.
      # * is it a GET request?  Gets should be safe and idempotent
      # * Does the form_authenticity_token match the given token value from the params?
      def verified_request?
        !protect_against_forgery?     ||
          request.method == :get      ||
+          request.xhr?                ||
          !verifiable_request_format? ||
          form_authenticity_token == params[request_forgery_protection_token]
      end
--- a/actionpack/test/controller/request_forgery_protection_test.rb
+++ b/actionpack/test/controller/request_forgery_protection_test.rb
@ -151,14 +151,10 @@ module RequestForgeryProtectionTests
      delete :index, :format => 'xml'
    end
  end
-
+  
  def test_should_allow_xhr_post_without_token
    assert_nothing_raised { xhr :post, :index }
  end
-  def test_should_not_allow_xhr_post_with_html_without_token
-    @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
-    assert_raise(ActionController::InvalidAuthenticityToken) { xhr :post, :index }
-  end
  
  def test_should_allow_xhr_put_without_token
    assert_nothing_raised { xhr :put, :index }
@ -168,6 +164,11 @@ module RequestForgeryProtectionTests
    assert_nothing_raised { xhr :delete, :index }
  end
  
+  def test_should_allow_xhr_post_with_encoded_form_content_type_without_token
+    @request.env['CONTENT_TYPE'] = Mime::URL_ENCODED_FORM.to_s
+    assert_nothing_raised { xhr :post, :index }
+  end
+  
  def test_should_allow_post_with_token
    post :index, :authenticity_token => @token
    assert_response :success