module ActionController::RequestForgeryProtection
def form_authenticity_param
def form_authenticity_param params[request_forgery_protection_token] end
def form_authenticity_token
def form_authenticity_token session[:_csrf_token] ||= SecureRandom.base64(32) end
def handle_unverified_request
def handle_unverified_request forgery_protection_strategy.new(self).handle_unverified_request end
def mark_for_same_origin_verification!
def mark_for_same_origin_verification! @marked_for_same_origin_verification = request.get? end
def marked_for_same_origin_verification?
If the `verify_authenticity_token` before_action ran, verify that
def marked_for_same_origin_verification? @marked_for_same_origin_verification ||= false end
def non_xhr_javascript_response?
def non_xhr_javascript_response? content_type =~ %r(\Atext/javascript) && !request.xhr? end
def protect_against_forgery?
def protect_against_forgery? allow_forgery_protection end
def verified_request?
* Does the form_authenticity_token match the given token value from the params?
* is it a GET or HEAD request? Gets should be safe and idempotent
Returns true or false if a request is verified. Checks:
def verified_request? !protect_against_forgery? || request.get? || request.head? || form_authenticity_token == params[request_forgery_protection_token] || form_authenticity_token == request.headers['X-CSRF-Token'] end
def verify_authenticity_token
verify that JavaScript responses are for XHR requests, ensuring they
enabled on an action, this before_action flags its after_action to
due for same-origin request verification. If protect_from_forgery is
Lean on the protect_from_forgery declaration to mark which actions are
`