Opened 14 years ago
Closed 14 years ago
#15973 closed Bug (duplicate)
Ajax CSRF code in docs doesn't always work.
Reported by: | Owned by: | nobody | |
---|---|---|---|
Component: | Documentation | Version: | 1.3 |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
while making urls are local, simply filtering for relative urls is not sufficient. several libraries may end up requesting a fully qualified url that is in fact local.
my suggestion is to change this line:
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
to this:
var root = location.protocol + '//' + location.host; if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url)) || settings.url.substr(0, root.length) === root ) {
Attachments (1)
Change History (2)
by , 14 years ago
Attachment: | ajax_csrf_fix.patch added |
---|
comment:1 by , 14 years ago
Description: | modified (diff) |
---|---|
Resolution: | → duplicate |
Status: | new → closed |
Triage Stage: | Unreviewed → Accepted |
This is essentially the same as #15869 with different circumstances (i.e. certain libraries rather than certain browsers).
BTW, please use preview to check that your description comes out properly formatted.
Note:
See TracTickets
for help on using tickets.
modifies the ajax csrf code in the docs to look for the current pages domain as well as relative urls