Skip to content

Fix for broken cross domain behaviour in jQuery >= 1.5 #167

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
ciaranlee wants to merge 1 commit into from
Closed

Fix for broken cross domain behaviour in jQuery >= 1.5 #167

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions src/rails.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,6 +95,7 @@
// Submits "remote" forms and links with ajax
handleRemote: function(element) {
var method, url, data,
crossDomain = element.data('cross-domain') || false,
Copy link
Member

@JangoSteve JangoSteve Jun 15, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also reading through jquery source, I found that jquery does try to intelligently guess whether or not crossDomain should be enabled based on the request URL and the current URL, just as I had previously suggested. See these lines in ajax.js.

    // Determine if a cross-domain request is in order
    if ( s.crossDomain == null ) {
        parts = rurl.exec( s.url.toLowerCase() );
        s.crossDomain = !!( parts &&
            ( parts[ 1 ] != ajaxLocParts[ 1 ] || parts[ 2 ] != ajaxLocParts[ 2 ] ||
                ( parts[ 3 ] || ( parts[ 1 ] === "http:" ? 80 : 443 ) ) !=
                    ( ajaxLocParts[ 3 ] || ( ajaxLocParts[ 1 ] === "http:" ? 80 : 443 ) ) )
        );
    }

Because of this, rather than defaulting crossDomain to false, we should instead default it to null so jquery can do it's thing.

dataType = element.data('type') || ($.ajaxSettings && $.ajaxSettings.dataType);

if (rails.fire(element, 'ajax:before')) {
Expand All @@ -116,7 +117,7 @@
}

rails.ajax({
url: url, type: method || 'GET', data: data, dataType: dataType,
url: url, type: method || 'GET', data: data, dataType: dataType, crossDomain: crossDomain,
Copy link
Member

@JangoSteve JangoSteve Jun 15, 2011

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be noted that the crossDomain parameter in jQuery's ajax function was only added in 1.5. This caused some funky behavior in the test case I created when testing with jquery >1.5.

I read through the jquery source, since it's not really documented anywhere, but among other things, setting crossDomain: true causes jquery to not set headers[ "X-Requested-With" ] = "XMLHttpRequest";, and so, Rails would return false forrequest.xhr?`.

According to the comments in the jquery source:

// X-Requested-With header
// For cross-domain requests, seeing as conditions for a preflight are
// akin to a jigsaw puzzle, we simply never set it to be sure.
// (it can always be set on a per-request basis or even using ajaxSetup)
// For same-domain requests, won't change header if already provided.
if ( !s.crossDomain && !headers["X-Requested-With"] ) {
  headers[ "X-Requested-With" ] = "XMLHttpRequest";
}

// stopping the "ajax:beforeSend" event will cancel the ajax request
beforeSend: function(xhr, settings) {
if (settings.dataType === undefined) {
Expand Down Expand Up @@ -244,7 +245,7 @@

// ajaxPrefilter is a jQuery 1.5 feature
if ('ajaxPrefilter' in $) {
$.ajaxPrefilter(function(options, originalOptions, xhr){ rails.CSRFProtection(xhr); });
$.ajaxPrefilter(function(options, originalOptions, xhr){ if ( !options.crossDomain ) { rails.CSRFProtection(xhr); }});
} else {
$(document).ajaxSend(function(e, xhr){ rails.CSRFProtection(xhr); });
}
Expand Down