Skip to content


Subversion checkout URL

You can clone with
Download ZIP
Browse files

Fixed #2234 - form hijacking wasn't respecting allowCrossDomainPages,…

… now it does!
  • Loading branch information...
commit 88754ac1643a133686b72520d24e32524a737452 1 parent ff93c76
@adrianpike authored
Showing with 4 additions and 2 deletions.
  1. +4 −2 js/
6 js/
@@ -1256,8 +1256,10 @@
url = path.makeUrlAbsolute( url, getClosestBaseUrl($this) );
- //external submits use regular HTTP
- if( path.isExternal( url ) || target ) {
+ // More info about what's going on here is up in useDefaultUrlHandling in the Click routing.
+ // Basically if we loaded via file:// and we've got "allowCrossDomainPages" true, we should use changePage.
+ isCrossDomainPageLoad = ( $.mobile.allowCrossDomainPages && documentUrl.protocol === "file:");

I'm under the impression that the allowCrossDomainPages attribute was put in place to handle CORS requests but the variable name and the logical and operator seem to suggest that cross domain page loads are confined to those made with the file protocol. Was that the intention?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
+ if(( path.isExternal( url ) && !isCrossDomainPageLoad) || target ) {

1 comment on commit 88754ac


Yes - I'm basically using the same functionality @jblas put in place under the click handler.
(Better comment here:

Looks like this was originally set up in 2aab30b

I'd be definitely fine with making it wide open if allowCrossDomainPages is true, but I didn't want to do anything too dangerous, so I stuck with just bringing the clickhandler stuff over for forms. :)

Please sign in to comment.
Something went wrong with that request. Please try again.