This document summarizes how Rails' protect_from_forgery configuration has changed and how to address issues that may arise. It protects from CSRF/XSS attacks by checking non-GET requests. Before Rails 3.0.4, it only checked HTML/JavaScript requests, but now checks all non-GET requests. To fix potential issues, add a jQuery snippet to send the CSRF token on AJAX requests and include the csrf_meta_tag.

1. protect_from_forgery

2. What it does now Turns on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked. Basically protects from XSS.

3. What it used to do before Rails 3.0.4 It used to just check HTML/JavaScript requests. Before all Ajax requests were passed through. Now all non-GET requests are checked.

4. How to fix Add this jQuery snippet to your javascript: $(document).ajaxSend(function(e, xhr, options) { var token = $("meta[name='csrf-token']").attr("content"); xhr.setRequestHeader("X-CSRF-Token", token); }); Add this to the head section of your layout if it’s not already there: = csrf_meta_tag

5. Further info Ruby 3.0.4 release notes: http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 Ticket No. CVE-2011-0447 https://github.com/rails/rails/commit/ae19e4141f27f80013c11e8b1da68e5c52c779ea#actionpack/lib/action_controller/metal/request_forgery_protection.rb Blog post of someone else who ran into a similar issue. http://binary10ve.blogspot.com/2011/05/migrating-to-rails-3-got-stuck-with.html