[nfm]

I believe the fix for this (checking if the request is xhr) hasn't been committed yet.

[rst]

Is that completely adequate? There was an earlier round of changes due to attackers being able to forge the .xhr header on requests. (This was the patch set at which Rails started checking CSRF tokens on .xhr? requests; before that, they got a free pass.)

See http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypas...

[krapp]

Is there a way to check that which can't be faked by altering the browser or a js framework though?

I was under the impression that trying to validate that was ultimately as fragile as checking the user-agent string...

[dhh]

It relies on a header, which can't be set through the attack vector, so it's all kosher.

[homakov]

Since we are on the same page, could you help me in this discussion with nzkoz? https://github.com/rails/rails/issues/11509 we're talking about different things