#22859 closed Bug (fixed)
set crossDomain = false in ajaxSetup is bad
Reported by: | flisky | Owned by: | nobody |
---|---|---|---|
Component: | Documentation | Version: | dev |
Severity: | Normal | Keywords: | |
Cc: | Triage Stage: | Accepted | |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description
The docs suggest this -
$.ajaxSetup({ crossDomain: false, // obviates need for sameOrigin test beforeSend: function(xhr, settings) { if (!csrfSafeMethod(settings.type)) { xhr.setRequestHeader("X-CSRFToken", csrftoken); } } });
However, people need to set corssDomain = true if there is a crossDomain request under some circumstances.
(In my case, I use CORS with server responsed with 'Access-Control-Allow-Origin' and no 'Access-Control-Request-Headers')
Actually, jQuery does this more intelligently:
default: false for same-domain requests, true for cross-domain requests
And jQuery set the crossDomain value before calling beforeSend
, so I propose this:
$.ajaxSetup({ beforeSend: function(xhr, settings) { if (!csrfSafeMethod(settings.type) && !this.crossDomain) { xhr.setRequestHeader("X-CSRFToken", csrftoken); } } });
Change History (6)
comment:1 by , 10 years ago
Triage Stage: | Unreviewed → Accepted |
---|
comment:2 by , 10 years ago
Resolution: | → fixed |
---|---|
Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
In 0be4d64487537fe5fe220cfb8896c4da08bb22a8: