New Request Forgery Protection breaks AtomPub implementations

Rails 2.1 Request Forgery Protection is incompatible with AtomPub
implementations

New 'verifiable_request_format?' function
(action_controller/request_forgery_protection.rb:101) is banning DELETE
requests, where request.content_type is nil

It also forbids posting any type of media, like images. This should we solved
adding every content type to @@unverifiable_types in Mime::Type

Any comments?

A quick workaround would be to turn off forgery protection by removing 'protect_from_forgery' from the ApplicationController.

Manfred

Sure, but I'd like that functionality enabled for common requests

Rails 2.1 Request Forgery Protection is incompatible with AtomPub
implementations

New 'verifiable_request_format?' function
(action_controller/request_forgery_protection.rb:101) is banning DELETE
requests, where request.content_type is nil

Shouldn't the content type be application/atom+xml? :atom is in
unverifiable_types.

It also forbids posting any type of media, like images. This should we solved
adding every content type to @@unverifiable_types in Mime::Type

Any comments?

According to the docs, you can skip request forgery protection by
skipping the before_filter:

skip_before_filter :verify_authenticity_token

Do you have any suggestions to make this easier for atompub implementors?

> Rails 2.1 Request Forgery Protection is incompatible with AtomPub
> implementations
>
> New 'verifiable_request_format?' function
> (action_controller/request_forgery_protection.rb:101) is banning DELETE
> requests, where request.content_type is nil

Shouldn't the content type be application/atom+xml? :atom is in
unverifiable_types.

I guess it's set to nil by Rails, because of the request body being blank.

> It also forbids posting any type of media, like images. This should we
> solved adding every content type to @@unverifiable_types in Mime::Type
>
> Any comments?

According to the docs, you can skip request forgery protection by
skipping the before_filter:

skip_before_filter :verify_authenticity_token

This would prevent forgery protection working for HTML requests

Do you have any suggestions to make this easier for atompub implementors?

I would suggest some kind of white list like Mime::Type@@unverifiable_types
but for respond_to formats