Expose CSRF tag for UJS adapters

actionpack/lib/action_view/helpers.rb

@@ -7,6 +7,7 @@ module Helpers #:nodoc:
     autoload :AtomFeedHelper, 'action_view/helpers/atom_feed_helper'
     autoload :CacheHelper, 'action_view/helpers/cache_helper'
     autoload :CaptureHelper, 'action_view/helpers/capture_helper'
+    autoload :CsrfHelper, 'action_view/helpers/csrf_helper'
     autoload :DateHelper, 'action_view/helpers/date_helper'
     autoload :DebugHelper, 'action_view/helpers/debug_helper'
     autoload :FormHelper, 'action_view/helpers/form_helper'
@@ -40,6 +41,7 @@ module ClassMethods
     include AtomFeedHelper
     include CacheHelper
     include CaptureHelper
+    include CsrfHelper
     include DateHelper
     include DebugHelper
     include FormHelper

actionpack/lib/action_view/helpers/csrf_helper.rb

+module ActionView
+  module Helpers
+    module CsrfHelper
+      # Returns a meta tag with the request forgery protection token for forms to use. Put this in your head.
+      def csrf_meta_tag
+        if protect_against_forgery?
+          %(<meta name="csrf-token" content="#{Rack::Utils.escape(form_authenticity_token)}"/>).html_safe
+        end
+      end
+    end
+  end
+end

actionpack/test/controller/request_forgery_protection_test.rb

@@ -15,13 +15,17 @@ def unsafe
     render :text => 'pwn'
   end
 
+  def meta
+    render :inline => "<%= csrf_meta_tag %>"
+  end
+
   def rescue_action(e) raise e end
 end
 
 # sample controllers
 class RequestForgeryProtectionController < ActionController::Base
   include RequestForgeryProtectionActions
-  protect_from_forgery :only => :index
+  protect_from_forgery :only => %w(index meta)
 end
 
 class FreeCookieController < RequestForgeryProtectionController
@@ -211,6 +215,11 @@ def setup
     ActiveSupport::SecureRandom.stubs(:base64).returns(@token)
     ActionController::Base.request_forgery_protection_token = :authenticity_token
   end
+
+  test 'should emit a csrf-token meta tag' do
+    get :meta
+    assert_equal %(<meta name="csrf-token" content="#{@token}"/>), @response.body
+  end
 end
 
 class FreeCookieControllerTest < ActionController::TestCase
@@ -238,6 +247,11 @@ def test_should_allow_all_methods_without_token
       assert_nothing_raised { send(method, :index)}
     end
   end
+
+  test 'should not emit a csrf-token meta tag' do
+    get :meta
+    assert @response.body.blank?
+  end
 end
 
 class CustomAuthenticityParamControllerTest < ActionController::TestCase

railties/lib/generators/erb/scaffold/templates/layout.html.erb

@@ -4,6 +4,7 @@
   <title><%= controller_class_name %>: <%%= controller.action_name %></title>
   <%%= stylesheet_link_tag 'scaffold' %>
   <%%= javascript_include_tag :defaults %>
+  <%%= csrf_meta_tag %>
 </head>
 <body>