Do not add sensitive request headers for cross domain requests

Prevents leaking the CSRF token to another third-party domain by mistake.
author: Lukas Reschke <lukas@owncloud.com> 2015-09-14 14:01:34 +0200
committer: Lukas Reschke <lukas@owncloud.com> 2015-09-15 11:42:13 +0200
commit: cd90685af13d3fa14b3bd15aa5e6d4ddeee84eb3 (patch)
tree: 94a350e453d44d12cf60cfe6a2135674184df757 /core/js
parent: 24d2cbf3de49dab44978061b33d0580d24d89d58 (diff)
download: nextcloud-server-cd90685af13d3fa14b3bd15aa5e6d4ddeee84eb3.tar.gz
nextcloud-server-cd90685af13d3fa14b3bd15aa5e6d4ddeee84eb3.zip
1 files changed, 5 insertions, 3 deletions
diff --git a/core/js/oc-requesttoken.js b/core/js/oc-requesttoken.js
index 2f7548ecb77..d5dcecdb5ab 100644
--- a/core/js/oc-requesttoken.js
+++ b/core/js/oc-requesttoken.js
@@ -1,4 +1,6 @@
-$(document).on('ajaxSend',function(elm, xhr) {
-	xhr.setRequestHeader('requesttoken', oc_requesttoken);
-	xhr.setRequestHeader('OCS-APIREQUEST', 'true');
+$(document).on('ajaxSend',function(elm, xhr, settings) {
+	if(settings.crossDomain === false) {
+		xhr.setRequestHeader('requesttoken', oc_requesttoken);
+		xhr.setRequestHeader('OCS-APIREQUEST', 'true');
+	}
 });
author	Lukas Reschke <lukas@owncloud.com>	2015-09-14 14:01:34 +0200
committer	Lukas Reschke <lukas@owncloud.com>	2015-09-15 11:42:13 +0200
commit	cd90685af13d3fa14b3bd15aa5e6d4ddeee84eb3 (patch)
tree	94a350e453d44d12cf60cfe6a2135674184df757 /core/js
parent	24d2cbf3de49dab44978061b33d0580d24d89d58 (diff)
download	nextcloud-server-cd90685af13d3fa14b3bd15aa5e6d4ddeee84eb3.tar.gz nextcloud-server-cd90685af13d3fa14b3bd15aa5e6d4ddeee84eb3.zip