Merge pull request rails#54583 from skipkayhil/hm-opt-verified-request

byroot · web-flow · commit d0b67970f418 · 2025-02-25T15:36:53.000+01:00
Do cheap/happy check first in `verified_request?`
diff --git a/actionpack/lib/action_controller/metal/request_forgery_protection.rb b/actionpack/lib/action_controller/metal/request_forgery_protection.rb
@@ -468,7 +468,7 @@ def non_xhr_javascript_response? # :doc:
       # *   Does the `X-CSRF-Token` header match the form_authenticity_token?
       #
       def verified_request? # :doc:
-        !protect_against_forgery? || request.get? || request.head? ||
+        request.get? || request.head? || !protect_against_forgery? ||
           (valid_request_origin? && any_authenticity_token_valid?)
       end
 

Original file line number	Diff line number	Diff line change
`@@ -468,7 +468,7 @@ def non_xhr_javascript_response? # :doc:`
`468`	`468`	# * Does the `X-CSRF-Token` header match the form_authenticity_token?
`469`	`469`	`#`
`470`	`470`	`def verified_request? # :doc:`
`471`		`- !protect_against_forgery? \|\| request.get? \|\| request.head? \|\|`
	`471`	`+ request.get? \|\| request.head? \|\| !protect_against_forgery? \|\|`
`472`	`472`	`(valid_request_origin? && any_authenticity_token_valid?)`
`473`	`473`	`end`
`474`	`474`