module ActionController::RequestForgeryProtection

Constants

CROSS_ORIGIN_JAVASCRIPT_WARNING

Protected Instance Methods

handle_unverified_request() click to toggle source
# File lib/rails3_csrf_patcher/patch.rb, line 52
def handle_unverified_request
  raise(ActionController::InvalidAuthenticityToken)
end
marked_for_same_origin_verification?() click to toggle source

If the ‘verify_authenticity_token` before_action ran, verify that JavaScript responses are only served to same-origin GET requests.

# File lib/rails3_csrf_patcher/patch.rb, line 43
def marked_for_same_origin_verification?
  defined? @marked_for_same_origin_verification
end
non_xhr_javascript_response?() click to toggle source

Check for cross-origin JavaScript responses.

# File lib/rails3_csrf_patcher/patch.rb, line 48
def non_xhr_javascript_response?
  content_type =~ %r(\Atext/javascript) && !request.xhr?
end
verify_authenticity_token() click to toggle source
# File lib/rails3_csrf_patcher/patch.rb, line 16
def verify_authenticity_token
  @marked_for_same_origin_verification = true

  unless verified_request?
    logger.warn "WARNING: Can't verify CSRF token authenticity" if logger
    handle_unverified_request
  end
end
verify_same_origin_request() click to toggle source

If ‘verify_authenticity_token` was run (indicating that we have forgery protection enabled for this request) then also verify that we aren’t serving an unauthorized cross-origin response.

# File lib/rails3_csrf_patcher/patch.rb, line 34
def verify_same_origin_request
  if marked_for_same_origin_verification? && non_xhr_javascript_response?
    logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger
    raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING
  end
end