From a20fbf9bc52e9596a675c1071ab3fe052ac4f0dc Mon Sep 17 00:00:00 2001
From: Jack McCracken <jack.mccracken@shopify.com>
Date: Wed, 6 May 2020 11:28:07 -0400
Subject: [PATCH] Check that request is same-origin prior to including CSRF
 token in XHRs

[CVE-2020-8167]
---
 .../app/assets/javascripts/rails-ujs/utils/ajax.coffee     | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee b/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
index 624352f49c..645144022c 100644
--- a/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
+++ b/actionview/app/assets/javascripts/rails-ujs/utils/ajax.coffee
@@ -52,9 +52,10 @@ createXHR = (options, done) ->
   # Sending FormData will automatically set Content-Type to multipart/form-data
   if typeof options.data is 'string'
     xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8')
-  xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest') unless options.crossDomain
-  # Add X-CSRF-Token
-  CSRFProtection(xhr)
+  unless options.crossDomain
+    xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest')
+    # Add X-CSRF-Token
+    CSRFProtection(xhr)
   xhr.withCredentials = !!options.withCredentials
   xhr.onreadystatechange = ->
     done(xhr) if xhr.readyState is XMLHttpRequest.DONE