Permalink
Browse files

[1.2.X] Fixed #15869 - example AJAX code in CSRF docs fails sometimes…

… for IE7 or absolute same origin URLs

Thanks to nick for the report.

Backport of [16183] from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@16185 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
1 parent 1dc5185 commit 87fa64ca7c24fe16189fe638805e09a66c52b403 @spookylukey spookylukey committed May 9, 2011
Showing with 14 additions and 3 deletions.
  1. +14 −3 docs/ref/contrib/csrf.txt
@@ -96,7 +96,7 @@ that allow headers to be set on every request. In jQuery, you can use the
.. code-block:: javascript
- $('html').ajaxSend(function(event, xhr, settings) {
+ $(document).ajaxSend(function(event, xhr, settings) {
function getCookie(name) {
var cookieValue = null;
if (document.cookie && document.cookie != '') {
@@ -112,8 +112,19 @@ that allow headers to be set on every request. In jQuery, you can use the
}
return cookieValue;
}
- if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
- // Only send the token to relative URLs i.e. locally.
+ function sameOrigin(url) {
+ // url could be relative or scheme relative or absolute
+ var host = document.location.host; // host + port
+ var protocol = document.location.protocol;
+ var sr_origin = '//' + host;
+ var origin = protocol + sr_origin;
+ // Allow absolute or scheme relative URLs to same origin
+ return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||
+ (url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||
+ // or any other URL that isn't scheme relative or absolute i.e relative.
+ !(/^(\/\/|http:|https:).*/.test(url));
+ }
+ if (sameOrigin(settings.url)) {
xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
}
});

0 comments on commit 87fa64c

Please sign in to comment.