Bug Tracker

Ticket #7465 (closed bug: fixed)

Opened 4 years ago

Last modified 3 years ago

Incorrect checking for cross-site XHR

Reported by: oryol Owned by: oryol
Priority: low Milestone: 1.5
Component: ajax Version: 1.4.4rc
Keywords: Cc:
Blocking: Blocked by:

Description

I already created http://bugs.jquery.com/ticket/6873 but it was incorrectly closed as duplicate of http://bugs.jquery.com/ticket/6908. But really these issues are completely different.

Let me explain with sort example:

<script src=" http://code.jquery.com/jquery-1.4.3.min.js"></script> <script>

var url = ' http://' + window.location.hostname; $.get(url); $.get(url + ':80');

</script>

  1. Deploy such page to some web server (on 80 port)
  2. Open page in a browser and see requests
  3. Two requests will be made

Expected result: both requests should have X-Requested-With header.

Actual result: only one request (second in platform preview versions of IE9 and first in other browsers) will have this header.

Main problem in this line:

remote = parts && (parts[1] && parts[1] !== location.protocol
parts[2] !== location.host);

Default web port (80) can be presented in window.location.host or not (depends on the browser) also it can (or not)be presented in the URL for AJAX request. So condition parts[2] !== location.host is incorrect if parts[2] (url of request) or location.host (current url reported by browser) contains default port (:80) but not both.

Change History

comment:1 Changed 4 years ago by oryol

 http://jsfiddle.net/Qf8RY/ - demo (see request headers of two requests)

comment:2 Changed 4 years ago by SlexAxton

  • Owner set to oryol
  • Priority changed from undecided to low
  • Status changed from new to pending
  • Component changed from unfiled to ajax

Do you have any insight into what the correct check on that line might be?

comment:3 Changed 4 years ago by oryol

  • Status changed from pending to new

Easy way (from my point of view) is to split this expression:

  1. 'Normalize' hosts (if it doesn't ends with ':80' - add ':80'). For both: parts[2] and location.host.
  2. Compare normalized hosts (if they aren't equal then this request is remote).

Aslo I want to note that my research is based on the current version of jQuery (1.4.3). In latest version this expression is slightly changed: toLowerCase has been added (but it really doesn't related to this bug).

Last edited 4 years ago by oryol (previous) (diff)

comment:4 Changed 4 years ago by snover

  • Keywords needsreview added
  • Version changed from 1.4.3 to 1.4.4rc

This seems like a real edge case. Does anyone else think it’s not worth fixing? I feel like it’s not worth fixing.

Also, please don’t open new bugs if your old ones are closed. Best to comment on the original if you think it has been closed improperly.

Last edited 4 years ago by snover (previous) (diff)

comment:5 Changed 4 years ago by oryol

Main problem that as result 'normal' URL (without explicitly specified port) don't work correctly in IE Platform Preview (I'm not sure - maybe this behavior will be changed in the release but anyway). On the server side we don't have X-Requested-With header so requests looks like 'not ajax' and handled in other way then it really should be handled.

About opening new bugs - previous was closed with incorrect reason (obviously it isn't duplicate of 6908). If it would be closed with some correct reason (even "won't fix" or some other that exists in this tracker) obviously I wouldn't like to open new bug (in worst case I can create some workaround). And as I didn't find any method to reopen my previous bug I have created a new one.

comment:6 Changed 4 years ago by rwaldron

  • Keywords needsreview,ajaxrewrite added; needsreview removed

comment:7 Changed 4 years ago by jaubourg

  • Status changed from new to closed
  • Resolution set to fixed

Fixes #7465. Reworked the regexp and associated test for cross-domain detection so that it now includes ports. Added cross-domain detection tests for protocol, hostname and port.

Changeset: afefb4f3d28f47c0a93cc9dfddfcbadb595a8efb

comment:8 Changed 4 years ago by jitter

  • Keywords needsreview,ajaxrewrite removed
Note: See TracTickets for help on using tickets.