From d4a3fd44f04fd06252ccfdd001772daa35c510d1 Mon Sep 17 00:00:00 2001 From: Tim Graham Date: Wed, 18 Jun 2014 14:35:38 -0400 Subject: [1.6.x] Fixed #22859 -- Improved crossDomain technique in CSRF example. Thanks flisky for the report. Backport of 0be4d64487 from master --- docs/ref/contrib/csrf.txt | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'docs') diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt index 5c73ba3242..ac495cbbd4 100644 --- a/docs/ref/contrib/csrf.txt +++ b/docs/ref/contrib/csrf.txt @@ -190,9 +190,8 @@ jQuery 1.5 and newer in order to replace the ``sameOrigin`` logic above: return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method)); } $.ajaxSetup({ - crossDomain: false, // obviates need for sameOrigin test beforeSend: function(xhr, settings) { - if (!csrfSafeMethod(settings.type)) { + if (!csrfSafeMethod(settings.type) && !this.crossDomain) { xhr.setRequestHeader("X-CSRFToken", csrftoken); } } -- cgit v1.3