Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security hardenings to $.ajax() #19014

Merged

Conversation

LukasReschke
Copy link
Member

Adds two security hardening to $.ajax:

  1. Do not add sensitive request headers for cross domain requests
  2. Disable automatic evaluation of responses
    • If a response to a $.ajax() request returns a content type of "application/javascript"
      JQuery would previously execute the response body. This is a pretty unexpected
      behaviour and can result in a bypass of our Content-Security-Policy as well as
      multiple unexpected XSS vectors.

@LukasReschke LukasReschke added this to the 8.2-current milestone Sep 14, 2015
@scrutinizer-notifier
Copy link

A new inspection was created.

@LukasReschke
Copy link
Member Author

@MorrisJobke @nickvergessen Mind testing? :)

@icewind1991
Copy link
Contributor

Disable automatic evaluation of responses

Does this effect $.getScript ?

Prevents leaking the CSRF token to another third-party domain by mistake.
If a response to a $.ajax() request returns a content type of "application/javascript"
JQuery would previously execute the response body. This is a pretty unexpected
behaviour and can result in a bypass of our Content-Security-Policy as well as
multiple unexpected XSS vectors.
@LukasReschke
Copy link
Member Author

Does this effect $.getScript ?

No. $.getScript is overriding the default behaviour. $.getScript will still behave as before.

Tested with:

$.get('http://localhost/test.php');
$.getScript('http://localhost/test.php');
<?php
header('Content-Type: application/javascript');
?>
alert(1);

@LukasReschke LukasReschke force-pushed the dont-add-requestheaders-for-cross-domain-requests branch from a6fb35c to f2d63d3 Compare September 15, 2015 09:44
@icewind1991
Copy link
Contributor

👍

@rullzer
Copy link
Contributor

rullzer commented Sep 15, 2015

Looks good! And your testcase works as expected. 👍

@VicDeo
Copy link
Member

VicDeo commented Sep 15, 2015

👍 Tested

DeepDiver1975 added a commit that referenced this pull request Sep 15, 2015
…ross-domain-requests

Add security hardenings to $.ajax()
@DeepDiver1975 DeepDiver1975 merged commit 2fc1963 into master Sep 15, 2015
@DeepDiver1975 DeepDiver1975 deleted the dont-add-requestheaders-for-cross-domain-requests branch September 15, 2015 22:16
@lock lock bot locked as resolved and limited conversation to collaborators Aug 10, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

requesttoken.js verify that request goes to ownCloud domain
6 participants