> Rails 2.1 Request Forgery Protection is incompatible with AtomPub
> New 'verifiable_request_format?' function
> (action_controller/request_forgery_protection.rb:101) is banning DELETE
> requests, where request.content_type is nil
Shouldn't the content type be application/atom+xml? :atom is in
I guess it's set to nil by Rails, because of the request body being blank.
> It also forbids posting any type of media, like images. This should we
> solved adding every content type to @@unverifiable_types in Mime::Type
> Any comments?
According to the docs, you can skip request forgery protection by
skipping the before_filter:
This would prevent forgery protection working for HTML requests
Do you have any suggestions to make this easier for atompub implementors?
I would suggest some kind of white list like Mime::Type@@unverifiable_types
but for respond_to formats