#15869 closed Bug (fixed)
CSRF fix for Ajax POST mentioned in docs intermittently fails to append token for IE7
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Documentation | Version: | 1.3 |
Severity: | Normal | Keywords: | ajax csrf post |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I've found that in some cases(not sure why), IE7 will prepend protocol://servername to a form's action, causing the
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {...}
test to fail...
I propose we use the following instead, as it will work in more cases:
var page_host = window.location.host; var regex=new RegExp('^https?://' + page_host + '/', 'i'); if (regex.test(settings.url) || !(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { // Only send the token to relative URLs i.e. locally. }
Change History (6)
follow-up: 2 comment:1 by , 14 years ago
Easy pickings: | unset |
---|---|
Triage Stage: | Unreviewed → Accepted |
comment:2 by , 14 years ago
Just checked, and yes, it does appear to work properly, even when a port is in the URL. Good idea, I hadn't thought of that!
Replying to lukeplant:
Thanks. Can you check if this works when there is an explicit port number in the URL? (i.e. presumably IE will have to include this in the URL, but is it also included in window.location.host?)
comment:3 by , 14 years ago
Two problems:
1) the regex approach actually is incorrect if page_host contains any special characters like .
, which it will do, opening up vulnerabilities. Escaping the special characters is one fix, but that is trickier than it ought to be, because javascript doesn't have built in methods for doing it.
2) I think we should treat http and https as completely different. There are many bugs that come from treating them as the same. We should just the 'same origin' protocol here.
In addition, the original code doesn't handle things like scheme relative URLs correctly. I'll come up with a patch shortly.
Thanks. Can you check if this works when there is an explicit port number in the URL? (i.e. presumably IE will have to include this in the URL, but is it also included in window.location.host?)