|
|
|
|
|
|
by JangoSteve
5188 days ago
|
|
|
One of the other interesting changes in this release from my perspective: * Do not include the authenticity token in forms where remote: true as ajax forms use the meta-tag value DHH This doesn't really explain accurately what happened. It's not that the default behavior changed; rather a new option was actually introduced to allow you to easily do this if needed for fragment caching a remote form without making it cache a stale authenticity token (used to protect against CSRF attacks). From the core mailing list: Rails 3.2.3 also introduces a new option that allows you to control
the behavior of remote forms when it comes to `authenticity_token`
generation. If you want to fragment cache your forms, authenticity
token will also get cached, which isn't acceptable. However, if you
only use such forms with ajax, you can disable token generation,
because it will be fetched from `meta` tag. Starting with 3.2.3, you
have an option to stop generating `authenticity_token` in remote forms
(ie. `:remote => true` is passed as an option), by setting
`config.action_view.embed_authenticity_token_in_remote_forms = false`.
Please note that this will break sending those forms with javascript
disabled. If you choose to not generate the token in remote forms by
default, you can still explicitly pass `:authenticity_token => true`
when generating the form to bypass this setting.
The option defaults to `true`, which means that existing apps are
NOT affected. |
|
|