Opened 14 years ago
Closed 14 years ago
#15871 closed Bug (duplicate)
JavaScript CSRF fix for Ajax POST mentioned in docs intermittently fails to append token for IE7
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Documentation | Version: | 1.3 |
Severity: | Normal | Keywords: | ajax csrf post |
Cc: | Triage Stage: | Unreviewed | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
I've found that in some cases(not sure why), IE7 will prepend protocol://servername to a form's action, causing the
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {...}
test to fail...
I propose we use the following instead, as it will work in more cases:
var page_host = window.location.host; var regex=new RegExp('^https?://' + page_host + '/', 'i'); if (regex.test(settings.url) || !(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { // Only send the token to relative URLs i.e. locally. }
Note:
See TracTickets
for help on using tickets.
Dupe of #15869