mirror of
https://github.com/rails/rails.git
synced 2022-11-09 12:12:34 -05:00
Check that request is same-origin prior to including CSRF token in XHRs
[CVE-2020-8167]
This commit is contained in:
parent
358ff18975
commit
a20fbf9bc5
1 changed files with 4 additions and 3 deletions
|
@ -52,9 +52,10 @@ createXHR = (options, done) ->
|
|||
# Sending FormData will automatically set Content-Type to multipart/form-data
|
||||
if typeof options.data is 'string'
|
||||
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded; charset=UTF-8')
|
||||
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest') unless options.crossDomain
|
||||
# Add X-CSRF-Token
|
||||
CSRFProtection(xhr)
|
||||
unless options.crossDomain
|
||||
xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest')
|
||||
# Add X-CSRF-Token
|
||||
CSRFProtection(xhr)
|
||||
xhr.withCredentials = !!options.withCredentials
|
||||
xhr.onreadystatechange = ->
|
||||
done(xhr) if xhr.readyState is XMLHttpRequest.DONE
|
||||
|
|
Loading…
Reference in a new issue