Ticket #7465 (closed bug: fixed)
Incorrect checking for cross-site XHR
| Reported by: | oryol | Owned by: | oryol |
|---|---|---|---|
| Priority: | low | Milestone: | 1.5 |
| Component: | ajax | Version: | 1.4.4rc |
| Keywords: | Cc: | ||
| Blocking: | Blocked by: |
Description
I already created http://bugs.jquery.com/ticket/6873 but it was incorrectly closed as duplicate of http://bugs.jquery.com/ticket/6908. But really these issues are completely different.
Let me explain with sort example:
<script src=" http://code.jquery.com/jquery-1.4.3.min.js"></script> <script>
var url = ' http://' + window.location.hostname; $.get(url); $.get(url + ':80');
</script>
- Deploy such page to some web server (on 80 port)
- Open page in a browser and see requests
- Two requests will be made
Expected result: both requests should have X-Requested-With header.
Actual result: only one request (second in platform preview versions of IE9 and first in other browsers) will have this header.
Main problem in this line:
| parts[2] !== location.host); |
Default web port (80) can be presented in window.location.host or not (depends on the browser) also it can (or not)be presented in the URL for AJAX request. So condition parts[2] !== location.host is incorrect if parts[2] (url of request) or location.host (current url reported by browser) contains default port (:80) but not both.
Change History
comment:2 Changed 3 years ago by SlexAxton
- Owner set to oryol
- Priority changed from undecided to low
- Status changed from new to pending
- Component changed from unfiled to ajax
Do you have any insight into what the correct check on that line might be?
comment:3 Changed 3 years ago by oryol
- Status changed from pending to new
Easy way (from my point of view) is to split this expression:
- 'Normalize' hosts (if it doesn't ends with ':80' - add ':80'). For both: parts[2] and location.host.
- Compare normalized hosts (if they aren't equal then this request is remote).
Aslo I want to note that my research is based on the current version of jQuery (1.4.3). In latest version this expression is slightly changed: toLowerCase has been added (but it really doesn't related to this bug).
comment:4 Changed 3 years ago by snover
- Keywords needsreview added
- Version changed from 1.4.3 to 1.4.4rc
This seems like a real edge case. Does anyone else think it’s not worth fixing? I feel like it’s not worth fixing.
Also, please don’t open new bugs if your old ones are closed. Best to comment on the original if you think it has been closed improperly.
comment:5 Changed 3 years ago by oryol
Main problem that as result 'normal' URL (without explicitly specified port) don't work correctly in IE Platform Preview (I'm not sure - maybe this behavior will be changed in the release but anyway). On the server side we don't have X-Requested-With header so requests looks like 'not ajax' and handled in other way then it really should be handled.
About opening new bugs - previous was closed with incorrect reason (obviously it isn't duplicate of 6908). If it would be closed with some correct reason (even "won't fix" or some other that exists in this tracker) obviously I wouldn't like to open new bug (in worst case I can create some workaround). And as I didn't find any method to reopen my previous bug I have created a new one.
comment:6 Changed 2 years ago by rwaldron
- Keywords needsreview,ajaxrewrite added; needsreview removed
comment:7 Changed 2 years ago by jaubourg
- Status changed from new to closed
- Resolution set to fixed
Fixes #7465. Reworked the regexp and associated test for cross-domain detection so that it now includes ports. Added cross-domain detection tests for protocol, hostname and port.
Changeset: afefb4f3d28f47c0a93cc9dfddfcbadb595a8efb
Please follow the bug reporting guidlines and use jsFiddle when providing test cases and demonstrations instead of pasting the code in the ticket.
http://jsfiddle.net/Qf8RY/ - demo (see request headers of two requests)