Move up the notice to the line of `:with` explanation

actionpack/lib/action_controller/metal/request_forgery_protection.rb

@@ -129,13 +129,12 @@ module ActionController # :nodoc:
       #
       #   If you need to add verification to the beginning of the callback chain, use <tt>prepend: true</tt>.
       # * <tt>:with</tt> - Set the method to handle unverified request.
+      #   Note if <tt>default_protect_from_forgery</tt> is true, Rails call protect_from_forgery with <tt>with :exception</tt>.
       #
       # Built-in unverified request handling methods are:
       # * <tt>:exception</tt> - Raises ActionController::InvalidAuthenticityToken exception.
       # * <tt>:reset_session</tt> - Resets the session.
       # * <tt>:null_session</tt> - Provides an empty session during request but doesn't reset it completely. Used as default if <tt>:with</tt> option is not specified.
-      #   Note if <tt>default_protect_from_forgery</tt> is true, Rails call protect_from_forgery with <tt>with :exception</tt>.
-      #   This might not be intuitive as the method itself treats <tt>:with</tt> as <tt>:null_session</tt> by default.
       #
       # You can also implement custom strategy classes for unverified request handling:
       #