From b7e8930b82213b6e4d45f01cc5e6ce1a370659bd Mon Sep 17 00:00:00 2001
From: Ben Darnell <ben@bendarnell.com>
Date: Wed, 9 Feb 2011 17:09:57 -0800
Subject: [PATCH] Check XSRF tokens on all non-idempotent requests instead of
 just POST.

---
 tornado/web.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tornado/web.py b/tornado/web.py
index 20dbcae7..01ba81bb 100644
--- a/tornado/web.py
+++ b/tornado/web.py
@@ -853,7 +853,7 @@ class RequestHandler(object):
                 raise HTTPError(405)
             # If XSRF cookies are turned on, reject form submissions without
             # the proper cookie
-            if self.request.method == "POST" and \
+            if self.request.method not in ("GET", "HEAD") and \
                self.application.settings.get("xsrf_cookies"):
                 self.check_xsrf_cookie()
             self.prepare()