[1.5.x] Fixed #22859 -- Improved crossDomain technique in CSRF example.

timgraham · timgraham · commit ce06ef556970 · 2014-06-18T14:38:19.000-04:00
Thanks flisky for the report. Backport of 0be4d64 from master
diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
@@ -190,9 +190,8 @@ jQuery 1.5 and newer in order to replace the ``sameOrigin`` logic above:
         return (/^(GET|HEAD|OPTIONS|TRACE)$/.test(method));
     }
     $.ajaxSetup({
-        crossDomain: false, // obviates need for sameOrigin test
         beforeSend: function(xhr, settings) {
-            if (!csrfSafeMethod(settings.type)) {
+            if (!csrfSafeMethod(settings.type) && !this.crossDomain) {
                 xhr.setRequestHeader("X-CSRFToken", csrftoken);
             }
         }

Original file line number	Diff line number	Diff line change
@@ -190,9 +190,8 @@ jQuery 1.5 and newer in order to replace the ``sameOrigin`` logic above:
`190`	`190`	`return (/^(GET\|HEAD\|OPTIONS\|TRACE)$/.test(method));`
`191`	`191`	`}`
`192`	`192`	`$.ajaxSetup({`
`193`		`- crossDomain: false, // obviates need for sameOrigin test`
`194`	`193`	`beforeSend: function(xhr, settings) {`
`195`		`- if (!csrfSafeMethod(settings.type)) {`
	`194`	`+ if (!csrfSafeMethod(settings.type) && !this.crossDomain) {`
`196`	`195`	`xhr.setRequestHeader("X-CSRFToken", csrftoken);`
`197`	`196`	`}`
`198`	`197`	`}`