diff options
author | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 15:49:54 +0000 |
---|---|---|
committer | Luke Plant <L.Plant.98@cantab.net> | 2011-05-09 15:49:54 +0000 |
commit | 87fa64ca7c24fe16189fe638805e09a66c52b403 (patch) | |
tree | 849be5f24cc9522385f9e7aecd3d1780e97901c2 | |
parent | 1dc518555b137beb7b3ffabc8d0e68edd2b27e61 (diff) | |
download | django-87fa64ca7c24fe16189fe638805e09a66c52b403.tar.gz |
[1.2.X] Fixed #15869 - example AJAX code in CSRF docs fails sometimes for IE7 or absolute same origin URLs
Thanks to nick for the report.
Backport of [16183] from trunk.
git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.2.X@16185 bcc190cf-cafb-0310-a4f2-bffc1f526a37
-rw-r--r-- | docs/ref/contrib/csrf.txt | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index cd412b3043..7cf527eb3e 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -96,7 +96,7 @@ that allow headers to be set on every request. In jQuery, you can use the .. code-block:: javascript - $('html').ajaxSend(function(event, xhr, settings) { + $(document).ajaxSend(function(event, xhr, settings) { function getCookie(name) { var cookieValue = null; if (document.cookie && document.cookie != '') { @@ -112,8 +112,19 @@ that allow headers to be set on every request. In jQuery, you can use the } return cookieValue; } - if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) { - // Only send the token to relative URLs i.e. locally. + function sameOrigin(url) { + // url could be relative or scheme relative or absolute + var host = document.location.host; // host + port + var protocol = document.location.protocol; + var sr_origin = '//' + host; + var origin = protocol + sr_origin; + // Allow absolute or scheme relative URLs to same origin + return (url == origin || url.slice(0, origin.length + 1) == origin + '/') || + (url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') || + // or any other URL that isn't scheme relative or absolute i.e relative. + !(/^(\/\/|http:|https:).*/.test(url)); + } + if (sameOrigin(settings.url)) { xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken')); } }); |