I was reading thru the security guide and working on some basic ajax… I thought it might be worth a mention in the guide that we don’t need to set the X-CSRF-Token header when we create an ajax call. It is mentioned, but not very clear. I had to dig into rails to find what actually happens.
I have created a branch with the following text, added after line 242 in guides/source/security.md
If you are using ‘jquery-rails’ then your ajax calls will automatically include a ‘X-CSRF-Token’ HTTP header. The value of this header will match the ‘csrf-token’ meta tag in your document head. Rails will reject any incoming ajax call, if the token is missing or incorrect. Malicious ajax which executes in the context of a different document will not have access to the csrf-token meta tag.
If this seems like a good addition, I am happy to submit it as a pull request to rails.git
I think his point is that jquery-ujs appends the CSRF token to all AJAX requests that use jQuery’s $.ajax() and derivative methods, even when not using remote=true links and forms. I.e. when using a custom AJAX request within a Rails page that includes jquery-ujs, you don’t need to worry about appending the CSRF token.
Along those lines, I’d say the addition looks good to me. I’d make it more concise and clearer that you’re referring to all jQuery AJAX requests outside of those using jquery-ujs. Something like:
If you are using ‘jquery-rails’, all jQuery AJAX calls ($.ajax, $.get, $.post, $.getJSON, etc) will automatically include the ‘X-CSRF-Token’ HTTP header from the CSRF token meta tag in your document head."