For example, two controllers, one has protect_from_forgery and not.
Class A < ApplicationController protect_from_forgery ... end Class B < ApplicationController session :off ... end
If I do not use cookie session or declare controller B as session off, when I use link_to_remote in the views for B, I get a crash for no :secret is given in B.
Currently, protect_against_forgery? is implemented as
def protect_against_forgery? allow_forgery_protection && request_forgery_protection_token end
By default allow_forgery_protection is true and request_forgery_protection_token is a cattr_accessor. So no matter where protect_from_forgery is called once, protect_against_forgery? will return true everywhere, which makes protect_against_forgery? not quite useful to tell whether a controller is protect against forgery or not.
I have proposed a fix at http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/555-protect_from_forgery-is-not-quite-class-wise . Hope it help.
