Disable automatic evaluation of responses

If a response to a $.ajax() request returns a content type of "application/javascript" JQuery would previously execute the response body. This is a pretty unexpected behaviour and can result in a bypass of our Content-Security-Policy as well as multiple unexpected XSS vectors.
owncloud · Sep 15, 2015 · f2d63d3 · f2d63d3
1 parent cd90685
commit f2d63d3
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/core/js/js.js b/core/js/js.js
@@ -1215,6 +1215,20 @@ function object(o) {
  * Initializes core
  */
 function initCore() {
+	/**
+	 * Disable automatic evaluation of responses for $.ajax() functions (and its
+	 * higher-level alternatives like $.get() and $.post()).
+	 *
+	 * If a response to a $.ajax() request returns a content type of "application/javascript"
+	 * JQuery would previously execute the response body. This is a pretty unexpected
+	 * behaviour and can result in a bypass of our Content-Security-Policy as well as
+	 * multiple unexpected XSS vectors.
+	 */
+	$.ajaxSetup({
+		contents: {
+			script: false
+		}
+	});
 
 	/**
 	 * Set users locale to moment.js as soon as possible