OPTIONS should not require an XSRF token.

Closes tornadoweb#225.
adamf · Feb 23, 2011 · e7ae6c9 · e7ae6c9
1 parent fb8736c
commit e7ae6c9
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/tornado/web.py b/tornado/web.py
@@ -853,7 +853,7 @@ def _execute(self, transforms, *args, **kwargs):
                 raise HTTPError(405)
             # If XSRF cookies are turned on, reject form submissions without
             # the proper cookie
-            if self.request.method not in ("GET", "HEAD") and \
+            if self.request.method not in ("GET", "HEAD", "OPTIONS") and \
                self.application.settings.get("xsrf_cookies"):
                 self.check_xsrf_cookie()
             self.prepare()