aboutsummaryrefslogtreecommitdiffstats
path: root/core/js
diff options
context:
space:
mode:
Diffstat (limited to 'core/js')
-rw-r--r--core/js/js.js14
-rw-r--r--core/js/oc-requesttoken.js8
2 files changed, 19 insertions, 3 deletions
diff --git a/core/js/js.js b/core/js/js.js
index 8d3756ae2ec..de773dc1221 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -1215,6 +1215,20 @@ function object(o) {
* Initializes core
*/
function initCore() {
+ /**
+ * Disable automatic evaluation of responses for $.ajax() functions (and its
+ * higher-level alternatives like $.get() and $.post()).
+ *
+ * If a response to a $.ajax() request returns a content type of "application/javascript"
+ * JQuery would previously execute the response body. This is a pretty unexpected
+ * behaviour and can result in a bypass of our Content-Security-Policy as well as
+ * multiple unexpected XSS vectors.
+ */
+ $.ajaxSetup({
+ contents: {
+ script: false
+ }
+ });
/**
* Set users locale to moment.js as soon as possible
diff --git a/core/js/oc-requesttoken.js b/core/js/oc-requesttoken.js
index 2f7548ecb77..d5dcecdb5ab 100644
--- a/core/js/oc-requesttoken.js
+++ b/core/js/oc-requesttoken.js
@@ -1,4 +1,6 @@
-$(document).on('ajaxSend',function(elm, xhr) {
- xhr.setRequestHeader('requesttoken', oc_requesttoken);
- xhr.setRequestHeader('OCS-APIREQUEST', 'true');
+$(document).on('ajaxSend',function(elm, xhr, settings) {
+ if(settings.crossDomain === false) {
+ xhr.setRequestHeader('requesttoken', oc_requesttoken);
+ xhr.setRequestHeader('OCS-APIREQUEST', 'true');
+ }
});
generated by cgit v1.2.3 (git 2.39.1) at 2025-06-28 18:13:21 +0000