Skip to content

Commit

Permalink
Do not add sensitive request headers for cross domain requests
Browse files Browse the repository at this point in the history 
Prevents leaking the CSRF token to another third-party domain by mistake.
  • Loading branch information
@LukasReschke
LukasReschke committed Sep 15, 2015
1 parent 24d2cbf commit cd90685
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions core/js/oc-requesttoken.js
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
$(document).on('ajaxSend',function(elm, xhr) {
xhr.setRequestHeader('requesttoken', oc_requesttoken);
xhr.setRequestHeader('OCS-APIREQUEST', 'true');
$(document).on('ajaxSend',function(elm, xhr, settings) {
if(settings.crossDomain === false) {
xhr.setRequestHeader('requesttoken', oc_requesttoken);
xhr.setRequestHeader('OCS-APIREQUEST', 'true');
}
});

0 comments on commit cd90685

Please sign in to comment.