Base64 strict-encoded CSRF tokens are not inherently websafe, which makes
them difficult to deal with. For example, the common practice of sending
the CSRF token to a browser in a client-readable cookie does not work properly
out of the box: the value has to be url-encoded and decoded to survive transport.
Now, we generate Base64 urlsafe-encoded CSRF tokens, which are inherently safe
to transport. Validation accepts both urlsafe tokens, and strict-encoded tokens
for backwards compatibility.
There may a be a slight blip if users are trying to submit a form at the time of rollout, but otherwise there shouldn't be any impact.
This updates the CSRF tokens generated by Rails to be URL safe.
I took a look at the changelog for reference and I thought this was a great summary:
There may a be a slight blip if users are trying to submit a form at the time of rollout, but otherwise there shouldn't be any impact.