Check that request is same-origin prior to including CSRF token in XHRs

[CVE-2020-8167]
2020-05-06 11:28:07 -04:00 · 2020-05-06 11:28:07 -04:00 · a20fbf9bc5
parent 358ff18975
commit a20fbf9bc5
1 changed files with 4 additions and 3 deletions
--- a/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
+++ b/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
@ -52,9 +52,10 @@ createXHR = (options, done) ->
  # Sending FormData will automatically set Content-Type to multipart/form-data
  if typeof options.data is 'string'
    xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8')
-  xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest') unless options.crossDomain
-  # Add X-CSRF-Token
-  CSRFProtection(xhr)
+  unless options.crossDomain
+    xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest')
+    # Add X-CSRF-Token
+    CSRFProtection(xhr)
  xhr.withCredentials = !!options.withCredentials
  xhr.onreadystatechange = ->
    done(xhr) if xhr.readyState is XMLHttpRequest.DONE