Changeset 8694
- Timestamp:
- 01/23/08 00:57:38 (6 months ago)
- Files:
-
- spinoffs/prototype/branches/1-5-1/CHANGELOG (modified) (1 diff)
- spinoffs/prototype/branches/1-5-1/Rakefile (modified) (1 diff)
- spinoffs/prototype/branches/1-5-1/src/ajax.js (modified) (3 diffs)
- spinoffs/prototype/branches/1-5-1/test/lib/jstest.rb (modified) (3 diffs)
- spinoffs/prototype/branches/1-5-1/test/unit/ajax.html (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
spinoffs/prototype/branches/1-5-1/CHANGELOG
r7068 r8694 1 *1.5.1.2* (January 18, 2008) 2 3 * Prevent a potential security issue for cross-site ajax requests. [sam, Tobie Langel] 4 1 5 *1.5.1.1* (June 19, 2007) 2 6 spinoffs/prototype/branches/1-5-1/Rakefile
r7068 r8694 6 6 PROTOTYPE_DIST_DIR = File.join(PROTOTYPE_ROOT, 'dist') 7 7 PROTOTYPE_PKG_DIR = File.join(PROTOTYPE_ROOT, 'pkg') 8 PROTOTYPE_VERSION = '1.5.1. 1'8 PROTOTYPE_VERSION = '1.5.1.2' 9 9 10 10 task :default => [:dist, :package, :clean_package_source] spinoffs/prototype/branches/1-5-1/src/ajax.js
r6558 r8694 188 188 189 189 var contentType = this.getHeader('Content-type'); 190 if (contentType && contentType.strip().190 if (contentType && this.isSameOrigin() && contentType.strip(). 191 191 match(/^(text|application)\/(x-)?(java|ecma)script(;.*)?$/i)) 192 192 this.evalResponse(); … … 206 206 }, 207 207 208 isSameOrigin: function() { 209 var m = this.url.match(/^\s*https?:\/\/[^/]*/); 210 return !m || (m[0] == new Template('#{protocol}//#{domain}#{port}').evaluate({ 211 protocol: location.protocol, 212 domain: document.domain, 213 port: location.port ? ':' + location.port : '' 214 })); 215 }, 216 208 217 getHeader: function(name) { 209 218 try { … … 215 224 try { 216 225 var json = this.getHeader('X-JSON'); 217 return json ? json.evalJSON( ) : null;226 return json ? json.evalJSON(!this.isSameOrigin()) : null; 218 227 } catch (e) { return null } 219 228 }, spinoffs/prototype/branches/1-5-1/test/lib/jstest.rb
r6600 r8694 147 147 end 148 148 149 class NonCachingFileHandler < WEBrick::HTTPServlet::FileHandler 150 def do_GET(req, res) 151 super 152 153 res['Content-Type'] = case req.path 154 when /\.js$/ then 'text/javascript' 155 when /\.html$/ then 'text/html' 156 when /\.css$/ then 'text/css' 157 else 'text/plain' 158 end 159 149 class WEBrick::HTTPServlet::AbstractServlet 150 def prevent_caching(res) 160 151 res['ETag'] = nil 161 152 res['Last-Modified'] = Time.now + 100**4 … … 166 157 end 167 158 159 class BasicServlet < WEBrick::HTTPServlet::AbstractServlet 160 def do_GET(req, res) 161 prevent_caching(res) 162 res['Content-Type'] = "text/plain" 163 164 req.query.each do |k, v| 165 res[k] = v unless k == 'responseBody' 166 end 167 res.body = req.query["responseBody"] 168 169 raise WEBrick::HTTPStatus::OK 170 end 171 172 def do_POST(req, res) 173 do_GET(req, res) 174 end 175 end 176 177 class NonCachingFileHandler < WEBrick::HTTPServlet::FileHandler 178 def do_GET(req, res) 179 super 180 set_default_content_type(res, req.path) 181 prevent_caching(res) 182 end 183 184 def set_default_content_type(res, path) 185 res['Content-Type'] = case path 186 when /\.js$/ then 'text/javascript' 187 when /\.html$/ then 'text/html' 188 when /\.css$/ then 'text/css' 189 else 'text/plain' 190 end 191 end 192 end 193 168 194 169 195 class JavaScriptTestTask < ::Rake::TaskLib … … 186 212 res.body = req["content-type"] 187 213 end 214 @server.mount("/response", BasicServlet) 188 215 189 216 yield self if block_given? spinoffs/prototype/branches/1-5-1/test/unit/ajax.html
r6558 r8694 174 174 onComplete: function(transport) { assertNotEqual(0, transport.readyState) } 175 175 }); 176 }}, 177 178 testIsSameOriginMethod: function() {with(this) { 179 var isSameOrigin = Ajax.Request.prototype.isSameOrigin; 180 assert(isSameOrigin.call({ url: '/foo/bar.html' }), '/foo/bar.html'); 181 assert(isSameOrigin.call({ url: window.location.toString() }), window.location); 182 assert(!isSameOrigin.call({ url: 'http://example.com' }), 'http://example.com'); 183 184 if (window.location.port == 4711) { 185 Ajax.Request.prototype.isSameOrigin = function() { 186 return false 187 }; 188 189 $("content").update('same origin policy'); 190 new Ajax.Request("/response", { 191 parameters: { 192 responseBody: '$("content").update("<H2>Hello world!</H2>");', 193 'Content-Type': ' text/javascript ' 194 }, 195 asynchronous: false, 196 method: 'get', 197 onException: function(e) { throw e }, 198 onComplete: function(transport) { 199 assertEqual("same origin policy", $("content").innerHTML); 200 } 201 }); 202 203 new Ajax.Request("/response", { 204 parameters: { 'X-JSON': '{});window.attacked = true;({}' }, 205 asynchronous: false, 206 method: 'get', 207 onComplete: function(transport, json) { 208 assertNull(json); 209 } 210 }); 211 212 Ajax.Request.prototype.isSameOrigin = isSameOrigin; 213 } else { 214 info('You must be running your tests from rake to test this feature.'); 215 } 176 216 }} 177 178 217 }, 'testlog'); 179 218 // ]]>
