Merge pull request #11770 from timruffles/doc_ajax_xhr

be more specific about csrf token and ajax - not whitelisted outside of jquery-rails [ci skip]
2022-11-09 12:12:34 -05:00 · 2014-02-03 08:38:44 -08:00 · 2014-02-03 08:38:44 -08:00 · 28abd967fc
commit 28abd967fc
parent dd493d3b6f 08525e3ef1
1 changed files with 5 additions and 2 deletions
--- a/actionview/lib/action_view/helpers/csrf_helper.rb
+++ b/actionview/lib/action_view/helpers/csrf_helper.rb
@ -12,8 +12,11 @@ module ActionView
      # These are used to generate the dynamic forms that implement non-remote links with
      # <tt>:method</tt>.
      #
-      # Note that regular forms generate hidden fields, and that Ajax calls are whitelisted,
-      # so they do not use these tags.
+      # You don't need to use these tags for regular forms as they generate their own hidden fields.
+      #
+      # For AJAX requests other than GETs, extract the "csrf-token" from the meta-tag and send as the 
+      # "X-CSRF-Token" HTTP header. If you are using jQuery with jquery-rails this happens automatically.
+      #
      def csrf_meta_tags
        if protect_against_forgery?
          [