From cd90685af13d3fa14b3bd15aa5e6d4ddeee84eb3 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Mon, 14 Sep 2015 14:01:34 +0200
Subject: [PATCH 1/2] Do not add sensitive request headers for cross domain
 requests

Prevents leaking the CSRF token to another third-party domain by mistake.
---
 core/js/oc-requesttoken.js | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/core/js/oc-requesttoken.js b/core/js/oc-requesttoken.js
index 2f7548ecb77..d5dcecdb5ab 100644
--- a/core/js/oc-requesttoken.js
+++ b/core/js/oc-requesttoken.js
@@ -1,4 +1,6 @@
-$(document).on('ajaxSend',function(elm, xhr) {
-	xhr.setRequestHeader('requesttoken', oc_requesttoken);
-	xhr.setRequestHeader('OCS-APIREQUEST', 'true');
+$(document).on('ajaxSend',function(elm, xhr, settings) {
+	if(settings.crossDomain === false) {
+		xhr.setRequestHeader('requesttoken', oc_requesttoken);
+		xhr.setRequestHeader('OCS-APIREQUEST', 'true');
+	}
 });

From f2d63d351852bea601680da25bc881a3c76701da Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Mon, 14 Sep 2015 14:08:16 +0200
Subject: [PATCH 2/2] Disable automatic evaluation of responses

If a response to a $.ajax() request returns a content type of "application/javascript"
JQuery would previously execute the response body. This is a pretty unexpected
behaviour and can result in a bypass of our Content-Security-Policy as well as
multiple unexpected XSS vectors.
---
 core/js/js.js | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/core/js/js.js b/core/js/js.js
index 8d3756ae2ec..de773dc1221 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -1215,6 +1215,20 @@ function object(o) {
  * Initializes core
  */
 function initCore() {
+	/**
+	 * Disable automatic evaluation of responses for $.ajax() functions (and its
+	 * higher-level alternatives like $.get() and $.post()).
+	 *
+	 * If a response to a $.ajax() request returns a content type of "application/javascript"
+	 * JQuery would previously execute the response body. This is a pretty unexpected
+	 * behaviour and can result in a bypass of our Content-Security-Policy as well as
+	 * multiple unexpected XSS vectors.
+	 */
+	$.ajaxSetup({
+		contents: {
+			script: false
+		}
+	});
 
 	/**
 	 * Set users locale to moment.js as soon as possible