I'm using rails3. It does not seem to check the authenticity_token when doing a POST using Ajax. I traced this to:
module ActionDispatch class Request < Rack::Request ..... def forgery_whitelisted? get? || xhr? || content_mime_type.nil? || ! content_mime_type.verify_request? end end
so you don't check if its a get? or a xhr? (ie ajax request). Is this correct?
Seems correct to me: GET requests shouldn't be doing anything where it matters if the request is coming from another domain. XHR requests don't support cross-domain calls. So you don't have to worry about it coming from another domain.
Thanks, that makes sense!
doesnt $.getScript passes from data from one domain to another?
I doubt it. It probably uses XMLHttpRequest
just comfirmed an getscript does cross-domain calls
some guys are using it to send https data over http
http://www.viget.com/extend/secure-ajax-from-non-secure-pages/
Actually, that page specifically says that it doesn't work cross domain, or even cross protocol:
"the JavaScript same origin policy prevents you from making an Ajax request from your non-secure page to a secure page"
And the example doesn't show any use of cross domain or cross protocol calls.
class `CryptoKeysController < ApplicationController ssl_required ``:show
````$.getScript('/profiles/crypto_key?callback=setCryptData',
he is calling
the show action with htts from a non https page `