Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

setRequestHeader must be called after the http.open call

  • Loading branch information...
commit 643e983284e1058584fc8a9e56ca9f6e4cf9b580 1 parent 08000cc
@mostafaeweda mostafaeweda authored
Showing with 16 additions and 13 deletions.
  1. +16 −13 core/lib/teleport/http.js
View
29 core/lib/teleport/http.js
@@ -424,30 +424,33 @@ apf.http = function(){
httpUrl += (httpUrl.indexOf("?") == -1 ? "?" : "&") +
encodeURIComponent(requestedWithParam) + "=1";
}
+
+ var withCredentials = false;
+ if ("withCredentials" in options) {
+ withCredentials = options.withCredentials;
+ }
+ else {
+ withCredentials = (apf.config && apf.config["cors-with-credentials"]) || false;
+ }
+ http.withCredentials = withCredentials;
+
// global support for protection against Cross Site Request Forgery
// attacks by supplying a token to the global APF config object. This
// token will be appended to the URL and sent for each XHR.
// Warning: if you are doing CORS, be sure to use a different method!
+ var method = this.method || options.method || "GET";
var CSRFHeader = apf.config ? apf.config["csrf-header"] : null;
var CSRFToken = apf.config ? apf.config["csrf-token"] : null;
- if (CSRFHeader) {
- setRequestHeader("X-CSRF-Token", CSRFHeader);
- }
- else if (CSRFToken) {
+ if (method !== "GET" && CSRFToken) {
CSRFToken = CSRFToken.split("=").map(function(s) { return encodeURIComponent(s); }).join("=");
httpUrl += (httpUrl.indexOf("?") == -1 ? "?" : "&") + CSRFToken;
}
- var withCredentials = false;
- if ("withCredentials" in options) {
- withCredentials = options.withCredentials;
- }
- else {
- withCredentials = (apf.config && apf.config["cors-with-credentials"]) || false;
- }
+ http.open(method, httpUrl, async);
- http.withCredentials = withCredentials;
- http.open(this.method || options.method || "GET", httpUrl, async);
+ if (method !== "GET" && CSRFHeader) {
+ setRequestHeader("X-CSRF-Token", CSRFHeader);
+ }
if (options.username) {
setRequestHeader("Authorization", "Basic "
Please sign in to comment.
Something went wrong with that request. Please try again.