diff --git a/actionpack/CHANGELOG.md b/actionpack/CHANGELOG.md index de62919c3c66759ec96fb017e1a633d902baec0d..f004a4fce78a5634f2591a0bf79dfc9539a99903 100644 --- a/actionpack/CHANGELOG.md +++ b/actionpack/CHANGELOG.md @@ -1,5 +1,10 @@ ## Rails 4.0.0 (unreleased) ## +* Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms` + to `false`. This change breaks remote forms that need to work also without javascript, + so if you need such behavior, you can either set it to `true` or explicitly pass + `:authenticity_token => true` in form options + * Added ActionDispatch::SSL middleware that when included force all the requests to be under HTTPS protocol. *Rafael Mendonça França* * Add `include_hidden` option to select tag. With `:include_hidden => false` select with `multiple` attribute doesn't generate hidden input with blank value. *Vasiliy Ermolovich* diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index be4e88c9b354e94b1723d82e5ec6968ab0c6136c..63451e2c36b38ecd9493e854db8bdc49f3687351 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -19,7 +19,7 @@ module FormTagHelper include TextHelper mattr_accessor :embed_authenticity_token_in_remote_forms - self.embed_authenticity_token_in_remote_forms = true + self.embed_authenticity_token_in_remote_forms = false # Starts a form tag that points the action to an url configured with url_for_options just like # ActionController::Base#url_for. The method for the form defaults to POST. diff --git a/actionpack/lib/action_view/railtie.rb b/actionpack/lib/action_view/railtie.rb index 5162e1955b887801b160b045f68d5ae4242d6e19..9f5e3be45449b86d64f29ad8db0c745fd2e9e61c 100644 --- a/actionpack/lib/action_view/railtie.rb +++ b/actionpack/lib/action_view/railtie.rb @@ -7,7 +7,7 @@ class Railtie < Rails::Railtie config.action_view = ActiveSupport::OrderedOptions.new config.action_view.stylesheet_expansions = {} config.action_view.javascript_expansions = { :defaults => %w(jquery jquery_ujs) } - config.action_view.embed_authenticity_token_in_remote_forms = true + config.action_view.embed_authenticity_token_in_remote_forms = false initializer "action_view.embed_authenticity_token_in_remote_forms" do |app| ActiveSupport.on_load(:action_view) do diff --git a/actionpack/test/controller/request_forgery_protection_test.rb b/actionpack/test/controller/request_forgery_protection_test.rb index 7ded9ddc8130df6917b24acb529a3a33c836a13e..89f605b5adab0687ba24c4636e4ea195d8ab90b3 100644 --- a/actionpack/test/controller/request_forgery_protection_test.rb +++ b/actionpack/test/controller/request_forgery_protection_test.rb @@ -116,42 +116,37 @@ def test_should_render_button_to_with_token_tag assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', @token end - def test_should_render_form_with_token_tag_if_remote + def test_should_render_form_without_token_tag_if_remote assert_not_blocked do get :form_for_remote end - assert_match(/authenticity_token/, response.body) + assert_no_match(/authenticity_token/, response.body) end - def test_should_render_form_without_token_tag_if_remote_and_embedding_token_is_off + def test_should_render_form_with_token_tag_if_remote_and_embedding_token_is_on + original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms begin - ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false + ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true assert_not_blocked do get :form_for_remote end - assert_no_match(/authenticity_token/, response.body) + assert_match(/authenticity_token/, response.body) ensure - ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true + ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original end end - def test_should_render_form_with_token_tag_if_remote_and_embedding_token_is_off_but_true_option_passed - begin - ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = false + def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested_and_embedding_is_on + original = ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms + begin + ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true assert_not_blocked do - get :form_for_remote_with_token + get :form_for_remote_with_external_token end - assert_match(/authenticity_token/, response.body) + assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', 'external_token' ensure - ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = true - end - end - - def test_should_render_form_with_token_tag_if_remote_and_external_authenticity_token_requested - assert_not_blocked do - get :form_for_remote_with_external_token + ActionView::Helpers::FormTagHelper.embed_authenticity_token_in_remote_forms = original end - assert_select 'form>div>input[name=?][value=?]', 'custom_authenticity_token', 'external_token' end def test_should_render_form_with_token_tag_if_remote_and_authenticity_token_requested diff --git a/guides/source/configuring.textile b/guides/source/configuring.textile index 46e02c904f1ee67d60a9610fd3f242d647cf9f1e..246af587bc43093dd15d7cba2a7ca057db28cf9e 100644 --- a/guides/source/configuring.textile +++ b/guides/source/configuring.textile @@ -395,7 +395,7 @@ And can reference in the view with the following code: * +config.action_view.cache_asset_ids+ With the cache enabled, the asset tag helper methods will make fewer expensive file system calls (the default implementation checks the file system timestamp). However this prevents you from modifying any asset files while the server is running. -* +config.action_view.embed_authenticity_token_in_remote_forms+ This is by default set to true. If you set it to false, authenticity_token will not be added to forms with +:remote => true+ by default. You can force +authenticity_token+ to be added to such remote form by passing +:authenticity_token => true+ option. +* +config.action_view.embed_authenticity_token_in_remote_forms+ allows you to set the default behavior for +authenticity_token+ in forms with +:remote => true+. By default it's set to false, which means that remote forms will not include +authenticity_token+, which is helpful when you're fragment-caching the form. Remote forms get the authenticity from the +meta+ tag, so embedding is unnecessary unless you support browsers without JavaScript. In such case you can either pass +:authenticity_token => true+ as a form option or set this config setting to +true+ h4. Configuring Action Mailer