Check that request is same-origin prior to including CSRF token in XHRs

[CVE-2020-8167]
rails · May 15, 2020 · 47a8dc3 · 47a8dc3
1 parent 29aa538
commit 47a8dc3
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee b/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
@@ -52,9 +52,10 @@ createXHR = (options, done) ->
   # Sending FormData will automatically set Content-Type to multipart/form-data
   if typeof options.data is 'string'
     xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8')
-  xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest') unless options.crossDomain
-  # Add X-CSRF-Token
-  CSRFProtection(xhr)
+  unless options.crossDomain
+    xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest')
+    # Add X-CSRF-Token
+    CSRFProtection(xhr)
   xhr.withCredentials = !!options.withCredentials
   xhr.onreadystatechange = ->
     done(xhr) if xhr.readyState is XMLHttpRequest.DONE