Opened 14 years ago

Closed 14 years ago

#15973 closed Bug (duplicate)

Ajax CSRF code in docs doesn't always work. — at Version 1

Reported by: ehutch79@… Owned by: nobody
Component: Documentation Version: 1.3
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description (last modified by Luke Plant)

while making urls are local, simply filtering for relative urls is not sufficient. several libraries may end up requesting a fully qualified url that is in fact local.

my suggestion is to change this line:

if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {

to this:

var root = location.protocol + '//' + location.host;
if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url)) || settings.url.substr(0, root.length) === root  ) {

Change History (2)

by ehutch79@…, 14 years ago

Attachment: ajax_csrf_fix.patch added

modifies the ajax csrf code in the docs to look for the current pages domain as well as relative urls

comment:1 by Luke Plant, 14 years ago

Description: modified (diff)
Resolution: duplicate
Status: newclosed
Triage Stage: UnreviewedAccepted

This is essentially the same as #15869 with different circumstances (i.e. certain libraries rather than certain browsers).

BTW, please use preview to check that your description comes out properly formatted.

Note: See TracTickets for help on using tickets.
Back to Top