Skip to content

Instantly share code, notes, and snippets.

/gist:8da7fb575debd88c54cf Secret

Created January 13, 2011 04:08
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save anonymous/8da7fb575debd88c54cf to your computer and use it in GitHub Desktop.
Save anonymous/8da7fb575debd88c54cf to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
commit 1dedc5afdaa3cf06667f83a4dc300d65e1eae0e9
Author: wycats <wycats@gmail.com>
Date: Wed Jan 12 20:08:11 2011 -0800
Add the ajaxSend security patch
diff --git a/src/rails.js b/src/rails.js
index 031ad47..92e860e 100644
--- a/src/rails.js
+++ b/src/rails.js
@@ -6,6 +6,13 @@
*/
(function($) {
+ // Make sure that every Ajax request sends the CSRF token
+ $(document).ajaxSend(function(e, xhr, options) {
+ var token = $("meta[name='csrf-token']").attr("content");
+ console.log($("meta[name='csrf-token']"));
+ xhr.setRequestHeader("X-CSRF-Token", token);
+ });
+
// Triggers an event on an element and returns the event result
function fire(obj, name, data) {
var event = new $.Event(name);
diff --git a/test/public/test/call-remote.js b/test/public/test/call-remote.js
index 9634b12..5f51737 100644
--- a/test/public/test/call-remote.js
+++ b/test/public/test/call-remote.js
@@ -18,26 +18,29 @@ function submit(fn) {
.trigger('submit');
}
-asyncTest('form method is read from "method" and not from "data-method"', 1, function() {
+asyncTest('form method is read from "method" and not from "data-method"', 2, function() {
build_form({ method: 'post', 'data-method': 'get' });
submit(function(e, data, status, xhr) {
+ equal(data.HTTP_X_CSRF_TOKEN, "cf50faa3fe97702ca1ae");
App.assert_post_request(data);
});
});
-asyncTest('form method is not read from "data-method" attribute in case of missing "method"', 1, function() {
+asyncTest('form method is not read from "data-method" attribute in case of missing "method"', 2, function() {
build_form({ 'data-method': 'put' });
submit(function(e, data, status, xhr) {
+ equal(data.HTTP_X_CSRF_TOKEN, "cf50faa3fe97702ca1ae");
App.assert_get_request(data);
});
});
-asyncTest('form default method is GET', 1, function() {
+asyncTest('form default method is GET', 2, function() {
build_form();
submit(function(e, data, status, xhr) {
+ equal(data.HTTP_X_CSRF_TOKEN, "cf50faa3fe97702ca1ae");
App.assert_get_request(data);
});
});
diff --git a/test/public/test/data-method.js b/test/public/test/data-method.js
index 5823bc4..499314d 100644
--- a/test/public/test/data-method.js
+++ b/test/public/test/data-method.js
@@ -18,18 +18,14 @@ function submit(fn) {
asyncTest('link with "data-method" set to "delete"', 2, function() {
submit(function(data) {
equal(data.REQUEST_METHOD, 'DELETE');
- strictEqual(data.params.authenticity_token, undefined);
+ strictEqual(data.params.authenticity_token, "cf50faa3fe97702ca1ae" );
});
});
asyncTest('link with "data-method" and CSRF', 1, function() {
- $('#qunit-fixture')
- .append('<meta name="csrf-param" content="authenticity_token"/>')
- .append('<meta name="csrf-token" content="cf50faa3fe97702ca1ae"/>');
-
submit(function(data) {
equal(data.params.authenticity_token, 'cf50faa3fe97702ca1ae');
});
});
-})();
\ No newline at end of file
+})();
diff --git a/test/views/layout.erb b/test/views/layout.erb
index 15b7960..744c9d9 100644
--- a/test/views/layout.erb
+++ b/test/views/layout.erb
@@ -2,6 +2,9 @@
<html id="html">
<head>
<title><%= @title %></title>
+ <meta name="csrf-param" content="authenticity_token"/>
+ <meta name="csrf-token" content="cf50faa3fe97702ca1ae"/>
+
<link href="/vendor/qunit.css" media="screen" rel="stylesheet" type="text/css" media="screen, projection" />
<style>
#jquery-version {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment