There is a nice XSRF protection for link_to method in Rails 3 that generates some custom HTML5 tags, a hash security key and with a bunch of JavaScript it can send requests using safer PUT/DELETE/POST methods instead of HTTP GET. Thats very nice.
But I am in doubt on which browsers does this work? I mean it definitely does not work when JavaScript is disabled. But does the browser need to be HTML5? AFAIK there are many browsers that implement some portions of HTML5 and as this technique needs only a custom HTML tag it could work on older ones.
Is there any kind of document that describes this compatibility? I am interested in:
- Chrome/Safari
- Firefox
- MSIE
- Opera
Thanks
The links only contain that special HTML5-data if you want the link to be POST/PUT/DELETE. A regular link can only be a GET. JavaScript dependency is because of this, not because of the XSRF solution.
The custom HTML5 attributes (not tags) are just attributes that are named “data-…”. Browsers did accept custom attributes before HTML5, but now there is a way how you can add custom attributes without jeopardizing your HTML5-validity.
So, for this list of browsers you provided: all working, down to IE6 (unless you disable JavaScript).