It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session. Reference: https://groups.google.com/forum/#!msg/rubyonrails-security/NOjKiGeXUgw/XD3_jtvAAQAJ
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1843153]
GitHub Commit: https://github.com/rails/rails/commit/d124f19287f4892c72ca54da728a781591c6fca1