My jquery AJAX POST requests works without sending an Authenticity Token (Rails)
Posted
by dchua
on Stack Overflow
See other posts from Stack Overflow
or by dchua
Published on 2010-06-17T06:52:48Z
Indexed on
2010/06/17
7:03 UTC
Read the original article
Hit count: 317
Hi all,
Is there any provisions in rails that would allow all AJAX POST requests from the site to pass without an authenticity_token?
I have a Jquery POST ajax call that calls a controller method, but I did not put any authenticity code in it and yet the call succeeds.
My ApplicationController does have 'request_forgery_protection' and I've changed
config.action_controller.consider_all_requests_local
to false in my environments/development.rb
I've also searched my code to ensure that I was not overloading ajaxSend to send out authenticity tokens.
Is there some mechanism in play that disables the check? Now I'm not sure if my CSRF protection is working or not.
I'm using Rails 2.3.5.
© Stack Overflow or respective owner