After upgrading from 3.2 to rails 4.2.0, the ajax call to create a new log caused exception in integration spec:
Failure/Error: click_link 'New Log'
ActionController::InvalidCrossOriginRequest:
Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.
Here is a New Log button:
link_to t('New Log'), commonx.new_log_path(:resource_id => @part.id, :format => :js), :remote => true
After adding :except => :new to application controller, the exception disappeared. Now it looks like this in app's application controller:
protect_from_forgery :except => [:new]
I look around online and still not have a clear understanding of the potential risks associated with this except. Would someone shed a light on this?
The risks are explained in the Rails Security Guide, basically without it you allow another website to trick one of your users into giving them access to your site.
You're much better off disabling it just for that controller, see the protect_from_forgery docs for how to do that.