Code

Opened 3 years ago

Closed 3 years ago

#15870 closed Bug (duplicate)

CSRF fix for Ajax POST mentioned in docs intermittently fails to append token for IE7

Reported by: nick@… Owned by: nobody
Component: Documentation Version: 1.3
Severity: Normal Keywords: ajax csrf post
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I've found that in some cases(not sure why), IE7 will prepend protocol://servername to a form's action, causing the

 if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {...}

test to fail...

I propose we use the following instead, as it will work in more cases:

    var page_host = window.location.host;
    var regex=new RegExp('^https?://' + page_host + '/', 'i');
    if (regex.test(settings.url) || !(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
        // Only send the token to relative URLs i.e. locally.
    }

Attachments (0)

Change History (1)

comment:1 Changed 3 years ago by Alex

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset
  • Resolution set to duplicate
  • Status changed from new to closed

Dupe of #15869

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.