Send the CSRF token with Ajax requests (#7843).
Contributed by Etienne Massip. git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@5134 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
9049d58de4
commit
b38b871c7f
|
@ -5,6 +5,7 @@
|
||||||
<title><%=h html_title %></title>
|
<title><%=h html_title %></title>
|
||||||
<meta name="description" content="<%= Redmine::Info.app_name %>" />
|
<meta name="description" content="<%= Redmine::Info.app_name %>" />
|
||||||
<meta name="keywords" content="issue,bug,tracker" />
|
<meta name="keywords" content="issue,bug,tracker" />
|
||||||
|
<%= csrf_meta_tag %>
|
||||||
<%= favicon %>
|
<%= favicon %>
|
||||||
<%= stylesheet_link_tag 'application', :media => 'all' %>
|
<%= stylesheet_link_tag 'application', :media => 'all' %>
|
||||||
<%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %>
|
<%= stylesheet_link_tag 'rtl', :media => 'all' if l(:direction) == 'rtl' %>
|
||||||
|
|
|
@ -299,9 +299,27 @@ var WarnLeavingUnsaved = Class.create({
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
/* shows and hides ajax indicator */
|
/*
|
||||||
|
* 1 - registers a callback which copies the csrf token into the
|
||||||
|
* X-CSRF-Token header with each ajax request. Necessary to
|
||||||
|
* work with rails applications which have fixed
|
||||||
|
* CVE-2011-0447
|
||||||
|
* 2 - shows and hides ajax indicator
|
||||||
|
*/
|
||||||
Ajax.Responders.register({
|
Ajax.Responders.register({
|
||||||
onCreate: function(){
|
onCreate: function(request){
|
||||||
|
var csrf_meta_tag = $$('meta[name=csrf-token]')[0];
|
||||||
|
|
||||||
|
if (csrf_meta_tag) {
|
||||||
|
var header = 'X-CSRF-Token',
|
||||||
|
token = csrf_meta_tag.readAttribute('content');
|
||||||
|
|
||||||
|
if (!request.options.requestHeaders) {
|
||||||
|
request.options.requestHeaders = {};
|
||||||
|
}
|
||||||
|
request.options.requestHeaders[header] = token;
|
||||||
|
}
|
||||||
|
|
||||||
if ($('ajax-indicator') && Ajax.activeRequestCount > 0) {
|
if ($('ajax-indicator') && Ajax.activeRequestCount > 0) {
|
||||||
Element.show('ajax-indicator');
|
Element.show('ajax-indicator');
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue