Commit 4497a47c authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Avoid cross-domain ajax requests from user subdomains (bug #1006634)



When cleanurlusersubdomains is on, ajax requests might come from
somewhere other than the wwwroot.  To avoid cross-domain requests,
this patch will set a javascript variable whenever a page is on a
subdomain.  The ajax wrapper function sendjsonrequest rewrites its url
using the variable if necessary.

Change-Id: If8a625268895fe1b239f76d515dbd17debe0035e
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 79865c29
......@@ -221,6 +221,15 @@ function sendjsonrequest(script, data, rtype, successcallback, errorcallback, qu
document.documentElement.style.cursor = 'wait';
if (typeof(fakewwwroot) == 'string') {
if (script.substring(0, 4) == 'http') {
script = fakewwwroot + script.substring(config.wwwroot.length);
}
else {
script = fakewwwroot + script;
}
}
var d = doXHR(script, xhrOptions);
d.addCallbacks(function (result) {
......
......@@ -81,6 +81,21 @@ function smarty($javascript = array(), $headers = array(), $pagestrings = array(
// drag them around the wysiwyg editor
$jswwwroot = json_encode($wwwroot);
// Workaround for $cfg->cleanurlusersubdomains.
// When cleanurlusersubdomains is on, ajax requests might come from somewhere other than
// the wwwroot. To avoid cross-domain requests, set a js variable when this page is on a
// different subdomain, and let the ajax wrapper function sendjsonrequest rewrite its url
// if necessary.
if (get_config('cleanurls') && get_config('cleanurlusersubdomains')) {
if ($requesthost = get_requested_host_name()) {
$wwwrootparts = parse_url($wwwroot);
if ($wwwrootparts['host'] != $requesthost) {
$fakewwwroot = $wwwrootparts['scheme'] . '://' . $requesthost . '/';
$headers[] = '<script type="text/javascript">var fakewwwroot = ' . json_encode($fakewwwroot) . ';</script>';
}
}
}
$theme_list = array();
if (function_exists('pieform_get_headdata')) {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment