Fixes AJAX requests for jQuery 1.5 because of new CSRF requirements

src/rails.js

@@ -12,6 +12,10 @@
 		obj.trigger(event, data);
 		return event.result !== false;
 	}
+
+	function appendCsrfToken(xhr){
+	  xhr.setRequestHeader('X-CSRF-Token', $('meta[name=csrf-token]').attr('content'));
+	}
 
 	// Submits "remote" forms and links with ajax
 	function handleRemote(element) {
@@ -41,6 +45,7 @@
 				if (settings.dataType === undefined) {
 					xhr.setRequestHeader('accept', '*/*;q=0.5, ' + settings.accepts.script);
 				}
+				appendCsrfToken(xhr);
 				return fire(element, 'ajax:beforeSend', [xhr, settings]);
 			},
 			success: function(data, status, xhr) {
@@ -137,12 +142,19 @@
 		var name = button.attr('name'), data = name ? {name:name, value:button.val()} : null;
 		button.closest('form').data('ujs:submit-button', data);
 	});
-	
+
 	$('form').live('ajax:beforeSend.rails', function(event) {
 		if (this == event.target) disableFormElements($(this));
 	});
 
 	$('form').live('ajax:complete.rails', function(event) {
 		if (this == event.target) enableFormElements($(this));
 	});
+
+	$.ajaxSetup({ 
+	  beforeSend: function(xhr){ 
+      appendCsrfToken(xhr);
+    }
+  });
 })( jQuery );
+

test/public/test/call-remote-callbacks.js

@@ -99,7 +99,13 @@ asyncTest('"ajax:beforeSend", "ajax:error" and "ajax:complete" are triggered on
     form.bind('ajax:error', function(e, xhr, status, error) { 
       equal(typeof xhr.getResponseHeader, 'function', 'first argument to "ajax:error" should be an XHR object');
       equal(status, 'error', 'second argument to ajax:error should be a status string');
-      equal(error, 'Forbidden', 'third argument to ajax:error should be an HTTP status response');
+      //1.4 sends an undefined error so use the status text
+      if(error != null){
+        equal(error, 'Forbidden', 'third argument to ajax:error should be an HTTP status response'); 
+      }
+      else {
+        equal(xhr.statusText, 'Forbidden', 'status text should be Forbidden')
+      }
       // Opera returns "0" for HTTP code
       equal(xhr.status, window.opera ? 0 : 403, 'status code should be 403');
     });

test/public/test/call-remote.js

@@ -67,6 +67,19 @@ asyncTest('prefer JS, but accept any format', 1, function() {
   });
 });
 
+asyncTest('passes in csrf token', 1, function(){
+  build_form({ method: 'post', action: '/header' })
+
+  $("form").append($("<input>").attr("name", "key").val("X-CSRF-Token"));
+  $('#qunit-fixture')
+    .append('<meta name="csrf-param" content="authenticity_token"/>')
+    .append('<meta name="csrf-token" content="cf50faa3fe97702ca1ae"/>');
+
+  submit(function(e, data, status, xhr){
+    equal(data, $('meta[name=csrf-token]').attr('content'));
+  })
+})
+
 asyncTest('accept application/json if "data-type" is json', 1, function() {
   build_form({ method: 'post', 'data-type': 'json' });
 

test/public/test/settings.js

@@ -27,6 +27,10 @@ App.assert_request_path = function(request_env, path) {
   equal(request_env['PATH_INFO'], path, 'request should be sent to right url');
 };
 
+App.assert_header_value = function(body, expected_value) {
+  equal(body, expected_value)
+}
+
 // hijacks normal form submit; lets it submit to an iframe to prevent
 // navigating away from the test suite
 $(document).bind('submit', function(e) {

test/server.rb

@@ -56,3 +56,13 @@ def script_tag src
 get '/error' do
   status 403
 end
+
+post '/header' do
+  status 200
+  header_key = "HTTP_#{params[:key].upcase.gsub("-", "_")}"
+  if env[header_key]
+    env[header_key]
+  else
+   ""
+  end
+end