server/core/js/oc-requesttoken.js
Lukas Reschke cd90685af1 Do not add sensitive request headers for cross domain requests
Prevents leaking the CSRF token to another third-party domain by mistake.
2015-09-15 11:42:13 +02:00

6 lines
209 B
JavaScript

$(document).on('ajaxSend',function(elm, xhr, settings) {
if(settings.crossDomain === false) {
xhr.setRequestHeader('requesttoken', oc_requesttoken);
xhr.setRequestHeader('OCS-APIREQUEST', 'true');
}
});