Opened 10 years ago

Closed 10 years ago

Last modified 10 years ago

#22859 closed Bug (fixed)

set crossDomain = false in ajaxSetup is bad

Reported by: flisky Owned by: nobody
Component: Documentation Version: dev
Severity: Normal Keywords:
Cc: Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

The docs suggest this -

$.ajaxSetup({
    crossDomain: false, // obviates need for sameOrigin test
    beforeSend: function(xhr, settings) {
        if (!csrfSafeMethod(settings.type)) {
            xhr.setRequestHeader("X-CSRFToken", csrftoken);
        }
    }
});

However, people need to set corssDomain = true if there is a crossDomain request under some circumstances.
(In my case, I use CORS with server responsed with 'Access-Control-Allow-Origin' and no 'Access-Control-Request-Headers')

Actually, jQuery does this more intelligently:
default: false for same-domain requests, true for cross-domain requests

And jQuery set the crossDomain value before calling beforeSend, so I propose this:

$.ajaxSetup({
    beforeSend: function(xhr, settings) {
        if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
            xhr.setRequestHeader("X-CSRFToken", csrftoken);
        }
    }
});

Change History (6)

comment:1 by Tim Graham, 10 years ago

Triage Stage: UnreviewedAccepted

comment:2 by Tim Graham <timograham@…>, 10 years ago

Resolution: fixed
Status: newclosed

In 0be4d64487537fe5fe220cfb8896c4da08bb22a8:

Fixed #22859 -- Improved crossDomain technique in CSRF example.

Thanks flisky for the report.

comment:3 by Tim Graham <timograham@…>, 10 years ago

In d29f3b9e878c10417d66e1542ac52fe2ca242cf8:

[1.4.x] Fixed #22859 -- Improved crossDomain technique in CSRF example.

Thanks flisky for the report.

Backport of 0be4d64487 from master

comment:4 by Tim Graham <timograham@…>, 10 years ago

In d4a3fd44f04fd06252ccfdd001772daa35c510d1:

[1.6.x] Fixed #22859 -- Improved crossDomain technique in CSRF example.

Thanks flisky for the report.

Backport of 0be4d64487 from master

comment:5 by Tim Graham <timograham@…>, 10 years ago

In 427f218a5ecec315a18583c1013e315d9102d6d3:

[1.7.x] Fixed #22859 -- Improved crossDomain technique in CSRF example.

Thanks flisky for the report.

Backport of 0be4d64487 from master

comment:6 by Tim Graham <timograham@…>, 10 years ago

In ce06ef5569705ab4a7c0a495deb7fe5efb63c153:

[1.5.x] Fixed #22859 -- Improved crossDomain technique in CSRF example.

Thanks flisky for the report.

Backport of 0be4d64487 from master

Note: See TracTickets for help on using tickets.
Back to Top