1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00
Commit graph

6 commits

Author SHA1 Message Date
Jeremy Kemper
1650bb3d56 CSRF protection from cross-origin <script> tags
Thanks to @homakov for sounding the alarm about JSONP-style data leaking
2013-12-17 13:14:17 -07:00
Xavier Noria
eea66892c8 removes support for render :update 2011-04-13 13:23:17 +02:00
Joshua Peek
0540781539 Namespace TestControllers inside their test case class 2009-09-19 13:04:12 -05:00
Yehuda Katz
1310231c15 Got tests to pass with some more changes.
* request.formats is much simpler now
    * For XHRs or Accept headers with a single item, we use the Accept header
    * For other requests, we use params[:format] or fallback to HTML
    * This is primarily to work around the fact that browsers provide completely
      broken Accept headers, so we have to whitelist the few cases we can
      specifically isolate and treat other requests as coming from the browser
    * For APIs, we can support single-item Accept headers, which disambiguates
      from the browsers
  * Requests to an action that only has an XML template from the browser will
    no longer find the template. This worked previously because most browsers
    provide a catch-all */*, but this was mostly accidental behavior. If you
    want to serve XML, either use the :xml format in links, or explicitly
    specify the XML template: render "template.xml".
2009-08-15 12:32:02 -07:00
Yehuda Katz + Carl Lerche
7b3fb1d43f Got controller/render_js_test.rb to pass on new base 2009-05-22 17:08:58 -07:00
Yehuda Katz + Carl Lerche
49a84ff69c Ported over render :file tests. 2009-05-13 17:00:59 -07:00