From efbd2cc3da19f62297fa1d26181277ed73d6b1b0 Mon Sep 17 00:00:00 2001 From: David Heinemeier Hansson Date: Tue, 2 Dec 2025 15:34:20 +0100 Subject: [PATCH] Allow API JSON requests to sidestep csrf protection --- app/controllers/concerns/request_forgery_protection.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/concerns/request_forgery_protection.rb b/app/controllers/concerns/request_forgery_protection.rb index 8ede51fc7..95fa12892 100644 --- a/app/controllers/concerns/request_forgery_protection.rb +++ b/app/controllers/concerns/request_forgery_protection.rb @@ -12,7 +12,7 @@ module RequestForgeryProtection end def verified_request? - super || safe_fetch_site? + super || safe_fetch_site? || request.format.json? end SAFE_FETCH_SITES = %w[ same-origin same-site ]