Opened 7 years ago

Closed 7 years ago

#15973 closed Bug (duplicate)

Ajax CSRF code in docs doesn't always work.

Reported by: ehutch79@… Owned by: nobody
Component: Documentation Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX:

Description (last modified by Luke Plant)

while making urls are local, simply filtering for relative urls is not sufficient. several libraries may end up requesting a fully qualified url that is in fact local.

my suggestion is to change this line:

if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {

to this:

var root = location.protocol + '//' + location.host;
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url)) || settings.url.substr(0, root.length) === root  ) {

Attachments (1)

ajax_csrf_fix.patch (803 bytes) - added by ehutch79@… 7 years ago.
modifies the ajax csrf code in the docs to look for the current pages domain as well as relative urls

Download all attachments as: .zip

Change History (2)

Changed 7 years ago by ehutch79@…

Attachment: ajax_csrf_fix.patch added

modifies the ajax csrf code in the docs to look for the current pages domain as well as relative urls

comment:1 Changed 7 years ago by Luke Plant

Description: modified (diff)
Resolution: duplicate
Status: newclosed
Triage Stage: UnreviewedAccepted

This is essentially the same as #15869 with different circumstances (i.e. certain libraries rather than certain browsers).

BTW, please use preview to check that your description comes out properly formatted.

Note: See TracTickets for help on using tickets.
Back to Top