#22859 closed Bug (fixed)
set crossDomain = false in ajaxSetup is bad
| Reported by: | flisky | Owned by: | nobody |
|---|---|---|---|
| Component: | Documentation | Version: | dev |
| Severity: | Normal | Keywords: | |
| Cc: | Triage Stage: | Accepted | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
The docs suggest this -
$.ajaxSetup({
crossDomain: false, // obviates need for sameOrigin test
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type)) {
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
However, people need to set corssDomain = true if there is a crossDomain request under some circumstances.
(In my case, I use CORS with server responsed with 'Access-Control-Allow-Origin' and no 'Access-Control-Request-Headers')
Actually, jQuery does this more intelligently:
default: false for same-domain requests, true for cross-domain requests
And jQuery set the crossDomain value before calling beforeSend, so I propose this:
$.ajaxSetup({
beforeSend: function(xhr, settings) {
if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
xhr.setRequestHeader("X-CSRFToken", csrftoken);
}
}
});
Change History (6)
comment:1 by , 10 years ago
| Triage Stage: | Unreviewed → Accepted |
|---|
comment:2 by , 10 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Note:
See TracTickets
for help on using tickets.
In 0be4d64487537fe5fe220cfb8896c4da08bb22a8: