module ActionController::RequestForgeryProtection
Constants
- CROSS_ORIGIN_JAVASCRIPT_WARNING
Protected Instance Methods
handle_unverified_request()
click to toggle source
# File lib/rails3_csrf_patcher/patch.rb, line 52 def handle_unverified_request raise(ActionController::InvalidAuthenticityToken) end
marked_for_same_origin_verification?()
click to toggle source
If the ‘verify_authenticity_token` before_action ran, verify that JavaScript responses are only served to same-origin GET requests.
# File lib/rails3_csrf_patcher/patch.rb, line 43 def marked_for_same_origin_verification? defined? @marked_for_same_origin_verification end
non_xhr_javascript_response?()
click to toggle source
Check for cross-origin JavaScript responses.
# File lib/rails3_csrf_patcher/patch.rb, line 48 def non_xhr_javascript_response? content_type =~ %r(\Atext/javascript) && !request.xhr? end
verify_authenticity_token()
click to toggle source
# File lib/rails3_csrf_patcher/patch.rb, line 16 def verify_authenticity_token @marked_for_same_origin_verification = true unless verified_request? logger.warn "WARNING: Can't verify CSRF token authenticity" if logger handle_unverified_request end end
verify_same_origin_request()
click to toggle source
If ‘verify_authenticity_token` was run (indicating that we have forgery protection enabled for this request) then also verify that we aren’t serving an unauthorized cross-origin response.
# File lib/rails3_csrf_patcher/patch.rb, line 34 def verify_same_origin_request if marked_for_same_origin_verification? && non_xhr_javascript_response? logger.warn CROSS_ORIGIN_JAVASCRIPT_WARNING if logger raise ActionController::InvalidCrossOriginRequest, CROSS_ORIGIN_JAVASCRIPT_WARNING end end