Update csrf_safe? to check the headers. Add some JS code to insert the CSRF token into the XHR request headers.

2025-08-03 08:11:56 +02:00 · 2013-06-22 16:53:39 -04:00 · 2013-06-22 16:53:39 -04:00 · bcf9b63fa4
commit bcf9b63fa4
parent bdfaf0022a
2 changed files with 13 additions and 2 deletions
--- a/app.rb
+++ b/app.rb
@ -252,7 +252,7 @@ def require_login_ajax
 end

 def csrf_safe?
-  csrf_token == params[:csrf_token]
+  csrf_token == params[:csrf_token] || csrf_token == request.env['HTTP_X_CSRF_TOKEN']
 end

 def csrf_token