mirror of
https://github.com/nextcloud/server.git
synced 2024-07-30 20:16:04 +02:00
Merge pull request #19014 from owncloud/dont-add-requestheaders-for-cross-domain-requests
Add security hardenings to $.ajax()
This commit is contained in:
commit
2fc19635f6
@ -1215,6 +1215,20 @@ function object(o) {
|
||||
* Initializes core
|
||||
*/
|
||||
function initCore() {
|
||||
/**
|
||||
* Disable automatic evaluation of responses for $.ajax() functions (and its
|
||||
* higher-level alternatives like $.get() and $.post()).
|
||||
*
|
||||
* If a response to a $.ajax() request returns a content type of "application/javascript"
|
||||
* JQuery would previously execute the response body. This is a pretty unexpected
|
||||
* behaviour and can result in a bypass of our Content-Security-Policy as well as
|
||||
* multiple unexpected XSS vectors.
|
||||
*/
|
||||
$.ajaxSetup({
|
||||
contents: {
|
||||
script: false
|
||||
}
|
||||
});
|
||||
|
||||
/**
|
||||
* Set users locale to moment.js as soon as possible
|
||||
|
@ -1,4 +1,6 @@
|
||||
$(document).on('ajaxSend',function(elm, xhr) {
|
||||
xhr.setRequestHeader('requesttoken', oc_requesttoken);
|
||||
xhr.setRequestHeader('OCS-APIREQUEST', 'true');
|
||||
$(document).on('ajaxSend',function(elm, xhr, settings) {
|
||||
if(settings.crossDomain === false) {
|
||||
xhr.setRequestHeader('requesttoken', oc_requesttoken);
|
||||
xhr.setRequestHeader('OCS-APIREQUEST', 'true');
|
||||
}
|
||||
});
|
||||
|
Loading…
Reference in New Issue
Block a user