I’m going to go out on a limb here and say the new CSRF protection in
Rails is flawed. Why? Forget about caching if you care to use it.
Consider the following:
<% cache do %>
<%= link_to_remote “Add To Favorites”, :url => {:controller =>
“favorites”, :action => “create”, “movie_id” => 2} %>
<% end %>
Output
The trouble is the cached (and consequently invalid)
authenticity_token being sent in the POST, which triggers the CSRF in
Rails, thereby rejecting the request. That’s no fun.
Then again, maybe I’m an incompetent retard and the CSRF protection in
Rails is flawless and I’m totally missing something. Please,
somebody, educate me if this is the case.
Thanks,
Josh