Posted 3 months ago. Visible to the public. Repeats.

XHR is not JSON

When a Rails controller action should handle both HTML and JSON responses, do not use request.xhr? to decide that. Use respond_to.

I've too often seen code like this:

def show # ... if request.xhr? render json: @user.as_json else # renders default HTML view end end

This is just plain wrong. Web browsers often fetch JSON via XHR, but they (should) also send the correct Accept HTTP header to tell the server the data they expect to receive.

If you say request.xhr? as a means for "wants JSON" you are locking out any client applications that correctly send Accept: application/json as a "regular" (non-XHR) request. And you are messing up responses for XHRs that want to load something else (like HTML views in Unpoly).

Your actions should choose the response format via the respond_to method:

def show # ... respond_to do |format| format.html # renders default HTML view format.json { render json: @user.as_json } end end

If your JSON is a bit more complex than the example above, you should put it into its own view (e.g. show.json.jbuilder). You can then refer to both views in your controller:

def show # ... respond_to :html, :json end

Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for old versions of Ruby on Rails (3.2 and 2.3).

Author of this card:

Arne Hartherz
Last edit:
3 months ago
by Henning Koch
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Arne Hartherz to makandra dev