Incorrect checking for cross-site XHR
|Reported by:||oryol||Owned by:||oryol|
Let me explain with sort example:
<script src="http://code.jquery.com/jquery-1.4.3.min.js"></script> <script>
var url = 'http://' + window.location.hostname; $.get(url); $.get(url + ':80');
- Deploy such page to some web server (on 80 port)
- Open page in a browser and see requests
- Two requests will be made
Expected result: both requests should have X-Requested-With header.
Actual result: only one request (second in platform preview versions of IE9 and first in other browsers) will have this header.
Main problem in this line:
|parts !== location.host);|
Default web port (80) can be presented in window.location.host or not (depends on the browser) also it can (or not)be presented in the URL for AJAX request. So condition parts !== location.host is incorrect if parts (url of request) or location.host (current url reported by browser) contains default port (:80) but not both.
Change History (8)
comment:2 Changed 5 years ago by SlexAxton
- Component changed from unfiled to ajax
- Owner set to oryol
- Priority changed from undecided to low
- Status changed from new to pending
comment:3 Changed 5 years ago by oryol
- Status changed from pending to new
comment:4 Changed 5 years ago by snover
- Keywords needsreview added
- Version changed from 1.4.3 to 1.4.4rc