Bugzilla – Full Text Bug Listing
| Summary: | [xhr] XSRF header should only be sent for same-origin requests | ||
|---|---|---|---|
| Product: | [ECD] Orion | Reporter: | Mark Macdonald <mamacdon> |
| Component: | Client | Assignee: | Mark Macdonald <mamacdon> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | P3 | ||
| Version: | 6.0 | ||
| Target Milestone: | 7.0 | ||
| Hardware: | PC | ||
| OS: | Windows 7 | ||
| Whiteboard: | |||
Changing summary: As it turns out, this is a cross-origin request using CORS. In this case we should *never* set the csrf header. Doing so would amount to revealing a secret to a 3rd-party host. Having an opt-out flag is a separate issue. Added unit tests in this commit http://git.eclipse.org/c/orion/org.eclipse.orion.client.git/commit/?id=ae4c52e |
When GitHubFilePlugin attempts to talk to the Github API it gets this error: > XMLHttpRequest cannot load https://api.github.com/repos/eclipse/orion.client/branches?per_page=1000. Request header x-csrf-token is not allowed by Access-Control-Allow-Headers The remote server barfs because of the csrf header being sent. xhr.js needs an option to not set the header.