Skip to content
Browse files

Added optional support for CSRF protection, fixing #69.

  • Loading branch information...
1 parent f12549f commit cdbeaba183c8468cdfbfdaad9269ffe8feca6618 @toolness toolness committed
Showing with 8 additions and 2 deletions.
  1. +1 −0 index.html
  2. +5 −1 js/fc/publisher.js
  3. +2 −1 js/main.js
View
1 index.html
@@ -4,6 +4,7 @@
<meta charset="utf-8">
<meta name="remix-url" content="">
<meta name="publish-url" content="http://thimbletest.org">
+ <meta name="csrf-token" content="">
<base target="_blank">
<!-- Dynamic servers like Django sites can serve this editor at a
View
6 js/fc/publisher.js
@@ -5,7 +5,7 @@
define(function() {
var myOrigin = window.location.protocol + "//" + window.location.host;
- function Publisher(baseURL) {
+ function Publisher(baseURL, csrfToken) {
// We want to support CORS for development but in production it doesn't
// matter because all requests will be same-origin. However, browsers
// that don't support CORS will barf if they're given absolute URLs to
@@ -35,6 +35,9 @@ define(function() {
});
},
saveCode: function(data, originalURL, cb) {
+ var headers = {};
+ if (csrfToken)
+ headers['X-CSRFToken'] = csrfToken;
$.ajax({
type: 'POST',
url: makeURL('/api/page'),
@@ -43,6 +46,7 @@ define(function() {
'original-url': originalURL || ''
},
dataType: 'text',
+ headers: headers,
error: function() {
cb("ERROR");
},
View
3 js/main.js
@@ -41,6 +41,7 @@ define("main", function(require) {
AppReady = require("appReady!"),
publishURL = $("meta[name='publish-url']").attr("content"),
pageToLoad = $("meta[name='remix-url']").attr("content"),
+ csrfToken = $("meta[name='csrf-token']").attr("content"),
Modals = require("fc/ui/modals"),
TextUI = require("fc/ui/text"),
supportsPushState = window.history.pushState ? true : false,
@@ -91,7 +92,7 @@ define("main", function(require) {
previewArea: $("#preview-holder")
});
var previewToEditorMapping = PreviewToEditorMapping(preview, $(".CodeMirror-lines"));
- var publisher = Publisher(publishURL);
+ var publisher = Publisher(publishURL, csrfToken);
var publishUI = PublishUI({
codeMirror: codeMirror,
publisher: publisher,

0 comments on commit cdbeaba

Please sign in to comment.
Something went wrong with that request. Please try again.