mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Check that request is same-origin prior to including CSRF token in XHRs
[CVE-2020-8167]
This commit is contained in:
parent
358ff18975
commit
a20fbf9bc5
1 changed files with 4 additions and 3 deletions
|
@ -52,9 +52,10 @@ createXHR = (options, done) ->
|
||||||
# Sending FormData will automatically set Content-Type to multipart/form-data
|
# Sending FormData will automatically set Content-Type to multipart/form-data
|
||||||
if typeof options.data is 'string'
|
if typeof options.data is 'string'
|
||||||
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8')
|
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8')
|
||||||
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest') unless options.crossDomain
|
unless options.crossDomain
|
||||||
# Add X-CSRF-Token
|
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest')
|
||||||
CSRFProtection(xhr)
|
# Add X-CSRF-Token
|
||||||
|
CSRFProtection(xhr)
|
||||||
xhr.withCredentials = !!options.withCredentials
|
xhr.withCredentials = !!options.withCredentials
|
||||||
xhr.onreadystatechange = ->
|
xhr.onreadystatechange = ->
|
||||||
done(xhr) if xhr.readyState is XMLHttpRequest.DONE
|
done(xhr) if xhr.readyState is XMLHttpRequest.DONE
|
||||||
|
|
Loading…
Reference in a new issue