Apr 11
I was trying to figure out why protect_from_forgery didn’t seem to be working in rails. I was trying to get rails to fail by changing the authenticity_token passed to the server during ajax requests. However, I had forgotten that XMLHttpRequests are subject to the same origin policy (SOP), so, for ajax, you don’t need a valid authenticity token to be sure the request is ok.
I once learnt all this, but forgot when trying to protect my application.