Avoid cross-domain ajax requests from user subdomains (bug #1006634)

When cleanurlusersubdomains is on, ajax requests might come from somewhere other than the wwwroot. To avoid cross-domain requests, this patch will set a javascript variable whenever a page is on a subdomain. The ajax wrapper function sendjsonrequest rewrites its url using the variable if necessary. Change-Id: If8a625268895fe1b239f76d515dbd17debe0035e Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>

Avoid cross-domain ajax requests from user subdomains (bug #1006634)
When cleanurlusersubdomains is on, ajax requests might come from somewhere other than the wwwroot. To avoid cross-domain requests, this patch will set a javascript variable whenever a page is on a subdomain. The ajax wrapper function sendjsonrequest rewrites its url using the variable if necessary. Change-Id: If8a625268895fe1b239f76d515dbd17debe0035e Signed-off-by: Richard Mansfield <richard.mansfield@catalyst.net.nz>
4497a47c · Richard Mansfield · 79865c29 · 4497a47c · 4497a47c
Commit 4497a47c authored May 30, 2012 by Richard Mansfield
--- a/htdocs/js/mahara.js
+++ b/htdocs/js/mahara.js
@@ -221,6 +221,15 @@ function sendjsonrequest(script, data, rtype, successcallback, errorcallback, qu

    document.documentElement.style.cursor = 'wait';

+    if (typeof(fakewwwroot) == 'string') {
+        if (script.substring(0, 4) == 'http') {
+            script = fakewwwroot + script.substring(config.wwwroot.length);
+        }
+        else {
+            script = fakewwwroot + script;
+        }
+    }
+
    var d = doXHR(script, xhrOptions);

    d.addCallbacks(function (result) {

--- a/htdocs/lib/web.php
+++ b/htdocs/lib/web.php
@@ -81,6 +81,21 @@ function smarty($javascript = array(), $headers = array(), $pagestrings = array(
    // drag them around the wysiwyg editor
    $jswwwroot = json_encode($wwwroot);

+    // Workaround for $cfg->cleanurlusersubdomains.
+    // When cleanurlusersubdomains is on, ajax requests might come from somewhere other than
+    // the wwwroot.  To avoid cross-domain requests, set a js variable when this page is on a
+    // different subdomain, and let the ajax wrapper function sendjsonrequest rewrite its url
+    // if necessary.
+    if (get_config('cleanurls') && get_config('cleanurlusersubdomains')) {
+        if ($requesthost = get_requested_host_name()) {
+            $wwwrootparts = parse_url($wwwroot);
+            if ($wwwrootparts['host'] != $requesthost) {
+                $fakewwwroot = $wwwrootparts['scheme'] . '://' . $requesthost . '/';
+                $headers[] = '<script type="text/javascript">var fakewwwroot = ' . json_encode($fakewwwroot) . ';</script>';
+            }
+        }
+    }
+
    $theme_list = array();
    
    if (function_exists('pieform_get_headdata')) {