CSRF token in query string not supported

[mlarratt]

In the case of JSONP calls which can only GET, it is common to use Rack::MethodOverride or similar to turn GET into other verbs as soon as it hits the middleware stack. In this scenario, it is not possible to include the CSRF token anywhere but the query string, even though the call later becomes a POST or other.

If you want to support having the token in the query string, you can check for the token using Rack::Request.params which is a union of both Rack::Request.GET & Rack::Request.POST