Opened 15 years ago
Closed 15 years ago
#15973 closed Bug (duplicate)
Ajax CSRF code in docs doesn't always work. — at Version 1
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Documentation | Version: | 1.3 |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description (last modified by )
while making urls are local, simply filtering for relative urls is not sufficient. several libraries may end up requesting a fully qualified url that is in fact local.
my suggestion is to change this line:
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
to this:
var root = location.protocol + '//' + location.host;
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url)) || settings.url.substr(0, root.length) === root ) {
Change History (2)
by , 15 years ago
| Attachment: | ajax_csrf_fix.patch added |
|---|
comment:1 by , 15 years ago
| Description: | modified (diff) |
|---|---|
| Resolution: | → duplicate |
| Status: | new → closed |
| Triage Stage: | Unreviewed → Accepted |
This is essentially the same as #15869 with different circumstances (i.e. certain libraries rather than certain browsers).
BTW, please use preview to check that your description comes out properly formatted.
Note:
See TracTickets
for help on using tickets.
modifies the ajax csrf code in the docs to look for the current pages domain as well as relative urls