You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ajax.Request will execute scripts by default because evalJS option defaults to true. This is a security issue which is supposed to be alleviated by "only for same-origin requests" requirements. Unfortunately, that requirement isn't being enforced properly. So while the URL "http://example.com/" isn't considered same-origin, "//example.com/" is. Ajax.Request.isSameOrigin() needs to normalize URLs first, e.g. by passing them to the URL() constructor. This will also allow using url.origin instead of parsing URLs manually.
The text was updated successfully, but these errors were encountered:
Ajax.Request will execute scripts by default because
evalJSoption defaults totrue. This is a security issue which is supposed to be alleviated by "only for same-origin requests" requirements. Unfortunately, that requirement isn't being enforced properly. So while the URL "http://example.com/" isn't considered same-origin, "//example.com/" is.Ajax.Request.isSameOrigin()needs to normalize URLs first, e.g. by passing them to theURL()constructor. This will also allow usingurl.origininstead of parsing URLs manually.The text was updated successfully, but these errors were encountered: