JSON was recently added as input-type just as xml has been for some time.
While playing with it I noticed that I get ActionController::InvalidAuthenticityToken when submitting json-data that has the content-type set to application/json but without setting the accept-type.
Now, you won't usually send another type of data than that you want back, but technically speaking I should be able to send JSON data, and ask for HTML as output, or the other way around.
The way I understand Request Forgery protection, it is only meant to protect against the posting of normal forms from different domains that abuse an open session that a visitor might have.
Ajax-requests are normally 'protected' by the same-origin-policy.
Since normal forms always are www-form-encoded content, I believe request forgery should look for the content-type header instead of the accept-header. For normal form-behavior it shouldn't matter (since both headers are set), but in case of an xml/json request that wants html back, it makes no sence that forgery protection kicks in, since xml/json-content-requests are already 'safe'.
So to keep it short...
Can the RF-protection be changed to check for the content-header instead of the accept-header?
Thanks,
Mathijs
