On which browsers does work the Rails 3 XSRF protection?

There is a nice XSRF protection for link_to method in Rails 3 that generates some custom HTML5 tags, a hash security key and with a bunch of JavaScript it can send requests using safer PUT/DELETE/POST methods instead of HTTP GET. Thats very nice.

But I am in doubt on which browsers does this work? I mean it definitely does not work when JavaScript is disabled. But does the browse开发者_开发知识库r need to be HTML5? AFAIK there are many browsers that implement some portions of HTML5 and as this technique needs only a custom HTML tag it could work on older ones.

Is there any kind of document that describes this compatibility? I am interested in:

• Chrome/Safari
• Firefox
• MSIE
• Opera

Thanks

The links only contain that special HTML5-data if you want the link to be POST/PUT/DELETE. A regular link can only be a GET. JavaScript dependency is because of this, not because of the XSRF solution.

The custom HTML5 attributes (not tags) are just attributes that are named "data-...". Browsers did accept custom attributes before HTML5, but now there is a way how you can add custom attributes without jeopardizing your HTML5-validity.

So, for this list of browsers you provided: all working, down to IE6 (unless you disable JavaScript).