kylefang/angular.js
1
0
Fork 0
mirror of https://github.com/zhigang1992/angular.js.git synced 2026-04-13 22:39:59 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix($http): only set X-XSFR-TOKEN header for same-domain request

Browse Source 
This is needed to prevent CORS preflight checks. The XSFR token
is quite useless for CORS requests anyway.

BREAKING CHANGE: X-XSFR-TOKEN is no longer send for cross domain
requests. This shouldn't affect any known production service.

Closes #1096
This commit is contained in:
Rado Kirov
2012-09-28 15:43:01 -07:00
committed by Igor Minar
parent 3a75b1124d
commit fce100a46c
2 changed files with 73 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
test/ng/httpSpec.js
View File

@@ -430,6 +430,17 @@ describe('$http', function() {
$httpBackend.flush();
});
it('should not set XSRF cookie for cross-domain requests', inject(function($browser) {
$browser.cookies('XSRF-TOKEN', 'secret');
$browser.url('http://host.com/base');
$httpBackend.expect('GET', 'http://www.test.com/url', undefined, function(headers) {
return headers['X-XSRF-TOKEN'] === undefined;
}).respond('');
$http({url: 'http://www.test.com/url', method: 'GET', headers: {}});
$httpBackend.flush();
}));
it('should not send Content-Type header if request data/body is undefined', function() {
$httpBackend.expect('POST', '/url', undefined, function(headers) {
@@ -1005,4 +1016,25 @@ describe('$http', function() {
$httpBackend.verifyNoOutstandingExpectation = noop;
});
describe('isSameDomain', function() {
it('should support various combinations of urls', function() {
expect(isSameDomain('path/morepath',
'http://www.adomain.com')).toBe(true);
expect(isSameDomain('http://www.adomain.com/path',
'http://www.adomain.com')).toBe(true);
expect(isSameDomain('//www.adomain.com/path',
'http://www.adomain.com')).toBe(true);
expect(isSameDomain('//www.adomain.com/path',
'https://www.adomain.com')).toBe(true);
expect(isSameDomain('//www.adomain.com/path',
'http://www.adomain.com:1234')).toBe(false);
expect(isSameDomain('https://www.adomain.com/path',
'http://www.adomain.com')).toBe(false);
expect(isSameDomain('http://www.adomain.com:1234/path',
'http://www.adomain.com')).toBe(false);
expect(isSameDomain('http://www.anotherdomain.com/path',
'http://www.adomain.com')).toBe(false);
});
});
});