Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #10700 (new defect)

Opened 4 months ago

Last modified 3 months ago

Autocompleter should use GET instead of POST to pass CSRF protection

Reported by: mschuerig Assigned to: madrobby
Priority: high Milestone: 2.x
Component: script.aculo.us Version: edge
Severity: minor Keywords: autocompleter
Cc:

Description

The Ajax.Autocompleter uses the default method POST method of Ajax.Base. As a consequence, when CSRF protection (protect_from_forgery) is enabled, requests by the autocompleter are rejected.

This is easy to circumvent, of course, by simply setting the method-option to 'get' manually, but likely results in surprises when autocompletion doesn't work out of the box.

The simple solution is to change Ajax.Autocompleter so it uses GET.

Change History

02/10/08 19:54:54 changed by zsombor

How do you feel about #11071 global solution to all Ajax requests?