Rails 3.0.4 mandates X-CSRF-Token for each request (except GET)

[juwalter]

Hi,

after reading http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails this morning I thought the current rails.js might need an update, too. However, after playing around with a new Rails 3.0.4 app, including devise for authentication and several models with create/delete/update, the current version of rails.js seems to work just fine.

I am still wondering though, if you want to have a look at the post (unless you did already) and examine this, as well. $(document).ajaxSend(function(e, xhr, options) { var token = $("meta[name='csrf-token']").attr("content"); xhr.setRequestHeader("X-CSRF-Token", token); });

Any thoughts on this? Much appreciated!! Cheers, Jürgen

[yfeldblum]

In my tests (Rails 3.0.4, jQuery 1.5, Devise 1.1.5), when I do a jQuery.ajax call with type: put, I am seeing the browser's basic auth dialog box (which never accepts any username/password) and getting signed out. Adding this sample JavaScript to the page did not help.

Odd thing is, though, the cucumber (capybara, culerity/celerity) features continue to pass (they do include the ajax put requests), while manual tests are failing.

[aaronchi]

I have issues with put requests as well

[spovich]

Ok, found this gist which fixes it for me with jQuery 1.5. https://gist.github.com/818689

[juwalter]

yes, the gist and also make sure, you have <%= csrf_meta_tag %> in the head, so there is a csrf token. POST always had it as part of the form - using a hidden input field - but the csrf toke in the head is relatively new, but it works universally, POST and PUT

[mislav]

Thanks for the discussion and useful pointers. Fixed in e9311550fdb3afeb2917bcb1fef39767bf715003

[dbackeus]

EDIT: Sorry guys, I somehow thought I was commenting on a Devise issue. Don't panic!