# frozen_string_literal: true require "rack/session/abstract/id" require "action_controller/metal/exceptions" require "active_support/security_utils" module ActionController # :nodoc: class InvalidAuthenticityToken < ActionControllerError # :nodoc: end class InvalidCrossOriginRequest < ActionControllerError # :nodoc: end # Controller actions are protected from Cross-Site Request Forgery (CSRF) attacks # by including a token in the rendered HTML for your application. This token is # stored as a random string in the session, to which an attacker does not have # access. When a request reaches your application, \Rails verifies the received # token with the token in the session. All requests are checked except GET requests # as these should be idempotent. Keep in mind that all session-oriented requests # are CSRF protected by default, including JavaScript and HTML requests. # # Since HTML and JavaScript requests are typically made from the browser, we # need to ensure to verify request authenticity for the web browser. We can # use session-oriented authentication for these types of requests, by using # the protect_from_forgery method in our controllers. # # GET requests are not protected since they don't have side effects like writing # to the database and don't leak sensitive information. JavaScript requests are # an exception: a third-party site can use a