Opened 14 years ago
Closed 14 years ago
#15871 closed Bug (duplicate)
JavaScript CSRF fix for Ajax POST mentioned in docs intermittently fails to append token for IE7
| Reported by: | Owned by: | nobody | |
|---|---|---|---|
| Component: | Documentation | Version: | 1.3 |
| Severity: | Normal | Keywords: | ajax csrf post |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
I've found that in some cases(not sure why), IE7 will prepend protocol://servername to a form's action, causing the
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {...}
test to fail...
I propose we use the following instead, as it will work in more cases:
var page_host = window.location.host;
var regex=new RegExp('^https?://' + page_host + '/', 'i');
if (regex.test(settings.url) || !(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
// Only send the token to relative URLs i.e. locally.
}
Note:
See TracTickets
for help on using tickets.
Dupe of #15869