This merges in the code from the breach-mitigation-rails gem that masks
authenticity tokens on each request by XORing them with a random set of
bytes. The masking is used to make it impossible for an attacker to
steal a CSRF token from an SSL session by using techniques like the
BREACH attack.

The patch is pretty simple - I've copied over the [relevant
code](https://github.com/meldium/breach-mitigation-rails/blob/master/lib/breach_mitigation/masking_secrets.rb)
and updated the tests to pass, mostly by adjusting stubs and mocks.

Nokogiri leaves '<' unescaped, so the assert_select looking for '&lt;' will never work. Switched to assert_matching the reponse body.

Fixed a Nokogiri::CSS::SyntaxError by using its expected format for unicode characters.

Related with cbb91745

This was changed at cbb91745

Added the log_warning_on_csrf_failure option to ActionController::RequestForgeryProtection
which is on by default.

Thanks to @homakov for sounding the alarm about JSONP-style data leaking

Previously it was raising a NilException

They don't add any benefits over `assert object.blank?`
and `assert object.present?`

It's further work on CSRF after 24594110.

The :null_session CSRF protection method provide an empty session during
request processing but doesn't reset it completely (as :reset_session
does).

If embedding auth_token in remote forms is off and we
pass a value for auth_token it should respect it.

Changed default value for `config.action_view.embed_authenticity_token_in_remote_forms`
to `false`. This change breaks remote forms that need to work also without javascript,
so if you need such behavior, you can either set it to `true` or explicitly pass
`:authenticity_token => true` in form options

There is a regression introduced in 16ee611f, which breaks
remote forms that should also work without javascript. This commit
introduces config option that allows to configure this behavior
defaulting to the old behavior (ie. include authenticity token
in remote forms by default)

Conflicts:

	actionpack/CHANGELOG.md

Do not include the authenticity token in forms where remote: true as ajax forms use the meta-tag value

can be configured using `:with` option in `protect_from_forgery` method
or `request_forgery_protection_method` config option

possible values:
- :reset_session (default)
- :exception

new applications are generated with:

    protect_from_forgery :with => :exception

PATCH is the correct HTML verb to map to the #update action. The
semantics for PATCH allows for partial updates, whereas PUT requires a
complete replacement.

Changes:
* adds config.default_method_for_update you can set to :patch
* optionally use PATCH instead of PUT in resource routes and forms
* adds the #patch verb to routes to detect PATCH requests
* adds #patch? to Request
* changes documentation and comments to indicate support for PATCH

This change maintains complete backwards compatibility by keeping :put
as the default for config.default_method_for_update.

These requires were added in a87b92db and the implementation changed in
2cdc1f0c, removing the need for them.

Replace references to ActiveSupport::SecureRandom with just SecureRandom, and require 'securerandom' from the stdlib when active support is required.

Improved formatting of csrf_helper and improved test coverage

Unfortunately the previous method of browser detection and XHR whitelisting is unable to prevent requests issued from some Flash animations and Java applets.  To ease the work required to include the CSRF token in ajax requests rails now supports providing the token in a custom http header:

 X-CSRF-Token: ...

This fixes CVE-2011-0447

[#6228 state:committed]
Signed-off-by: NSantiago Pastorino <santiago@wyeworks.com>

Added tests for form_for and an authenticity_token option. Added docs for for_for and authenticity_token option. Added section to form helpers guide about forms for external resources and new authenticity_token option for form_tag and form_for helpers.

[#6228 state:committed]
Signed-off-by: NSantiago Pastorino <santiago@wyeworks.com>

get csrf_meta_tag back to the generated layout in deference to existing printed material, chomp also the generated HTML to be faithful to the output before the refactor

revises implementation and documentation of csrf_meta_tags, and aliases csrf_meta_tag to it for backwards compatibilty