From 3a26efe5f9ea3132758f99d8f6bb71925160ff91 Mon Sep 17 00:00:00 2001
From: Simon Mayer <simon.mayer@onb.ac.at>
Date: Tue, 6 Sep 2022 10:12:39 +0200
Subject: [PATCH] Activate CSRF protection for XHR/Ajax requests but allow them
 from any origin

---
 config/environments/development.rb | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/config/environments/development.rb b/config/environments/development.rb
index 0f21118..b1fde8c 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -73,10 +73,9 @@ Rails.application.configure do
   # routes, locales, etc. This feature depends on the listen gem.
   config.file_watcher = ActiveSupport::EventedFileUpdateChecker
 
-  # Uncomment if you wish to allow Action Cable access from any origin.
-  # config.action_cable.disable_request_forgery_protection = true
+  # Allow Action Cable access from any origin.
   config.action_cable.url = "http://127.0.0.1:3000/cable"
   config.action_cable.disable_request_forgery_protection = true
+  # Allow XHR/Ajax requests from different origin
   config.action_controller.forgery_protection_origin_check = false
-  config.action_controller.default_protect_from_forgery = false
 end
-- 
GitLab