Merge pull request #19014 from owncloud/dont-add-requestheaders-for-cross-domain-requests

Add security hardenings to $.ajax()
author: Thomas Müller <thomas.mueller@tmit.eu> 2015-09-16 00:16:31 +0200
committer: Thomas Müller <thomas.mueller@tmit.eu> 2015-09-16 00:16:31 +0200
commit: 2fc19635f6a98c0acbd223b3f9d0028ff2755585 (patch)
tree: d296d796ce1392900e477a45cc44a893bdae7ad5 /core/js/oc-requesttoken.js
parent: d1f7087b6cf1f6c706f3a4f66cb0aa91bd5c28c1 (diff)
parent: 2f4a1c9c2c9777a2e225b433573f6473f3b9e0b1 (diff)
download: nextcloud-server-2fc19635f6a98c0acbd223b3f9d0028ff2755585.tar.gz
nextcloud-server-2fc19635f6a98c0acbd223b3f9d0028ff2755585.zip
1 files changed, 5 insertions, 3 deletions
diff --git a/core/js/oc-requesttoken.js b/core/js/oc-requesttoken.js
index 2f7548ecb77..d5dcecdb5ab 100644
--- a/core/js/oc-requesttoken.js
+++ b/core/js/oc-requesttoken.js
@@ -1,4 +1,6 @@
-$(document).on('ajaxSend',function(elm, xhr) {
-	xhr.setRequestHeader('requesttoken', oc_requesttoken);
-	xhr.setRequestHeader('OCS-APIREQUEST', 'true');
+$(document).on('ajaxSend',function(elm, xhr, settings) {
+	if(settings.crossDomain === false) {
+		xhr.setRequestHeader('requesttoken', oc_requesttoken);
+		xhr.setRequestHeader('OCS-APIREQUEST', 'true');
+	}
 });
author	Thomas Müller <thomas.mueller@tmit.eu>	2015-09-16 00:16:31 +0200
committer	Thomas Müller <thomas.mueller@tmit.eu>	2015-09-16 00:16:31 +0200
commit	2fc19635f6a98c0acbd223b3f9d0028ff2755585 (patch)
tree	d296d796ce1392900e477a45cc44a893bdae7ad5 /core/js/oc-requesttoken.js
parent	d1f7087b6cf1f6c706f3a4f66cb0aa91bd5c28c1 (diff)
parent	2f4a1c9c2c9777a2e225b433573f6473f3b9e0b1 (diff)
download	nextcloud-server-2fc19635f6a98c0acbd223b3f9d0028ff2755585.tar.gz nextcloud-server-2fc19635f6a98c0acbd223b3f9d0028ff2755585.zip