Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DEV: prevents csrf-token initializer to leak session object (#7730)

This commit is contained in:
Joffrey JAFFEUX 2019-06-07 16:46:55 +02:00 committed by GitHub
parent df01249db4
commit da5255e560
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
app/assets/javascripts/discourse/initializers/csrf-token.js.es6
View File

@ -1,15 +1,20 @@
// Append our CSRF token to AJAX requests when necessary.
export default {
name: "csrf-token",
initialize: function(container) {
var session = container.lookup("session:main");
initialize(container) {
const session = container.lookup("session:main");
const csrfToken = document
.querySelector("meta[name=csrf-token]")
.getAttribute("content");
// Add a CSRF token to all AJAX requests
session.set("csrfToken", $("meta[name=csrf-token]").attr("content"));
session.set("csrfToken", csrfToken);
$.ajaxPrefilter(function(options, originalOptions, xhr) {
$.ajaxPrefilter((options, originalOptions, xhr) => {
if (!options.crossDomain) {
xhr.setRequestHeader("X-CSRF-Token", session.get("csrfToken"));
xhr.setRequestHeader("X-CSRF-Token", csrfToken);
}
});
}