Rails 4: Should a HEAD request not be handled like a GET for CSRF protection?

Michiel Sikkes wrote in post #1093276:

I am running a Rails 4 app in semi-production and I constantly get
exceptions from crawler bots that use a HEAD HTTP method, which causes
CSRF protection to kick in.

Shouldn't HEAD requests normally be handled like GET requests?

According to the Rails Guide it seems apparent that only GET request are
assumed to be safe.


HEAD requests should not be CSRF protected, sounds like a bug needs to
be filed to me.