Invalid Cross Origin Request After Upgrading to Rails 4.1

Question

Some point after I upgraded from Rails 3.2 to Rails 4.1, I started getting the following errors:

ActionController::InvalidCrossOriginRequest: Security warning: an embedded tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript

They mainly come from Internet Explorer 6 or 8 browsers on Windows XP, and never have accompanying user info, even though they're accessing a controller action that is only displayed to signed-in users.

How do I fix this issue or resolve it?

(See also a related issue from before upgrading: Why does Rails Fail to access the Session in an Ajax request from Internet Explorer? )

Answer 1

As per "CSRF protection from remote tags " from the rails guide:

In the case of tests, where you also doing the client, change from:

get :index, format: :js

To:

xhr :get, :index, format: :js

http://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#csrf-protection-from-remote-script-tags

In the case you want to make this route skip csrf check, white list the route using something like:

protect_from_forgery :except => :create