-
-
Save anonymous/8da7fb575debd88c54cf to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 1dedc5afdaa3cf06667f83a4dc300d65e1eae0e9 | |
Author: wycats <wycats@gmail.com> | |
Date: Wed Jan 12 20:08:11 2011 -0800 | |
Add the ajaxSend security patch | |
diff --git a/src/rails.js b/src/rails.js | |
index 031ad47..92e860e 100644 | |
--- a/src/rails.js | |
+++ b/src/rails.js | |
@@ -6,6 +6,13 @@ | |
*/ | |
(function($) { | |
+ // Make sure that every Ajax request sends the CSRF token | |
+ $(document).ajaxSend(function(e, xhr, options) { | |
+ var token = $("meta[name='csrf-token']").attr("content"); | |
+ console.log($("meta[name='csrf-token']")); | |
+ xhr.setRequestHeader("X-CSRF-Token", token); | |
+ }); | |
+ | |
// Triggers an event on an element and returns the event result | |
function fire(obj, name, data) { | |
var event = new $.Event(name); | |
diff --git a/test/public/test/call-remote.js b/test/public/test/call-remote.js | |
index 9634b12..5f51737 100644 | |
--- a/test/public/test/call-remote.js | |
+++ b/test/public/test/call-remote.js | |
@@ -18,26 +18,29 @@ function submit(fn) { | |
.trigger('submit'); | |
} | |
-asyncTest('form method is read from "method" and not from "data-method"', 1, function() { | |
+asyncTest('form method is read from "method" and not from "data-method"', 2, function() { | |
build_form({ method: 'post', 'data-method': 'get' }); | |
submit(function(e, data, status, xhr) { | |
+ equal(data.HTTP_X_CSRF_TOKEN, "cf50faa3fe97702ca1ae"); | |
App.assert_post_request(data); | |
}); | |
}); | |
-asyncTest('form method is not read from "data-method" attribute in case of missing "method"', 1, function() { | |
+asyncTest('form method is not read from "data-method" attribute in case of missing "method"', 2, function() { | |
build_form({ 'data-method': 'put' }); | |
submit(function(e, data, status, xhr) { | |
+ equal(data.HTTP_X_CSRF_TOKEN, "cf50faa3fe97702ca1ae"); | |
App.assert_get_request(data); | |
}); | |
}); | |
-asyncTest('form default method is GET', 1, function() { | |
+asyncTest('form default method is GET', 2, function() { | |
build_form(); | |
submit(function(e, data, status, xhr) { | |
+ equal(data.HTTP_X_CSRF_TOKEN, "cf50faa3fe97702ca1ae"); | |
App.assert_get_request(data); | |
}); | |
}); | |
diff --git a/test/public/test/data-method.js b/test/public/test/data-method.js | |
index 5823bc4..499314d 100644 | |
--- a/test/public/test/data-method.js | |
+++ b/test/public/test/data-method.js | |
@@ -18,18 +18,14 @@ function submit(fn) { | |
asyncTest('link with "data-method" set to "delete"', 2, function() { | |
submit(function(data) { | |
equal(data.REQUEST_METHOD, 'DELETE'); | |
- strictEqual(data.params.authenticity_token, undefined); | |
+ strictEqual(data.params.authenticity_token, "cf50faa3fe97702ca1ae" ); | |
}); | |
}); | |
asyncTest('link with "data-method" and CSRF', 1, function() { | |
- $('#qunit-fixture') | |
- .append('<meta name="csrf-param" content="authenticity_token"/>') | |
- .append('<meta name="csrf-token" content="cf50faa3fe97702ca1ae"/>'); | |
- | |
submit(function(data) { | |
equal(data.params.authenticity_token, 'cf50faa3fe97702ca1ae'); | |
}); | |
}); | |
-})(); | |
\ No newline at end of file | |
+})(); | |
diff --git a/test/views/layout.erb b/test/views/layout.erb | |
index 15b7960..744c9d9 100644 | |
--- a/test/views/layout.erb | |
+++ b/test/views/layout.erb | |
@@ -2,6 +2,9 @@ | |
<html id="html"> | |
<head> | |
<title><%= @title %></title> | |
+ <meta name="csrf-param" content="authenticity_token"/> | |
+ <meta name="csrf-token" content="cf50faa3fe97702ca1ae"/> | |
+ | |
<link href="/vendor/qunit.css" media="screen" rel="stylesheet" type="text/css" media="screen, projection" /> | |
<style> | |
#jquery-version { |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment