php/yii2
1
0
Fork 0
mirror of https://github.com/yiisoft/yii2.git synced 2025-11-03 05:48:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix #17878: Detect CORS AJAX requests without X-Requested-With in Request::getIsAjax()

Browse Source
This commit is contained in:
Igor Tarasov
2020-03-24 21:01:52 +05:00
committed by GitHub
parent 4b6d3c0290
commit 7f88acb313
4 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
framework/CHANGELOG.md
View File

@ -4,6 +4,7 @@ Yii Framework 2 Change Log
2.0.33 under development 2.0.33 under development
------------------------ ------------------------
- Bug #17878: Detect CORS AJAX requests without `X-Requested-With` in `Request::getIsAjax()` (dicrtarasov, samdark)
- Enh #17929: Actions can now have bool typed params bound (alex-code) - Enh #17929: Actions can now have bool typed params bound (alex-code)
- Enh #17827: Add `StringValidator::$strict` that can be turned off to allow any scalars (adhayward, samdark) - Enh #17827: Add `StringValidator::$strict` that can be turned off to allow any scalars (adhayward, samdark)
- Bug #16145: Fix `Html` helper `checkboxList()`, `radioList()`, `renderSelectOptions()`, `dropDownList()`, `listBox()` methods to work properly with traversable selection (samdark) - Bug #16145: Fix `Html` helper `checkboxList()`, `radioList()`, `renderSelectOptions()`, `dropDownList()`, `listBox()` methods to work properly with traversable selection (samdark)

12
framework/web/Request.php
View File

@ -471,8 +471,8 @@ class Request extends \yii\base\Request
/** /**
* Returns whether this is an AJAX (XMLHttpRequest) request. * Returns whether this is an AJAX (XMLHttpRequest) request.
* *
* Note that jQuery doesn't set the header in case of cross domain * Note that in case of cross domain requests, browser doesn't set the X-Requested-With header by default:
* requests: https://stackoverflow.com/questions/8163703/cross-domain-ajax-doesnt-send-x-requested-with-header * https://stackoverflow.com/questions/8163703/cross-domain-ajax-doesnt-send-x-requested-with-header
* *
* In case you are using `fetch()`, pass header manually: * In case you are using `fetch()`, pass header manually:
* *
@ -487,7 +487,13 @@ class Request extends \yii\base\Request
*/ */
public function getIsAjax() public function getIsAjax()
{ {
return $this->headers->get('X-Requested-With') === 'XMLHttpRequest'; $origin = $this->headers->get('Origin');
return
($this->headers->get('X-Requested-With') === 'XMLHttpRequest') ||
($this->headers->get('Sec-Fetch-Mode') === 'cors') ||
($this->headers->get('Sec-Fetch-Site') === 'cross-site') ||
($origin !== null && $origin !== $this->getHostInfo());
} }
/** /**

2
tests/framework/ChangeLogTest.php
View File

@ -18,7 +18,7 @@ class ChangeLogTest extends TestCase
public function changeProvider() public function changeProvider()
{ {
$lines = explode("\n", file_get_contents(__DIR__ . '/../../framework/CHANGELOG.md')); $lines = preg_split("~\R~", file_get_contents(__DIR__ . '/../../framework/CHANGELOG.md'), PREG_SPLIT_NO_EMPTY);
// Don't check last 1500 lines, they are old and often don't obey the standard. // Don't check last 1500 lines, they are old and often don't obey the standard.
$lastIndex = count($lines) - 1500; $lastIndex = count($lines) - 1500;

18
tests/framework/web/RequestTest.php
View File

@ -908,6 +908,24 @@ class RequestTest extends TestCase
], ],
true, true,
], ],
[
[
'HTTP_Sec-Fetch-Mode' => 'cors',
],
true,
],
[
[
'HTTP_Sec-Fetch-Site' => 'cross-site',
],
true,
],
[
[
'HTTP_Origin' => 'https://example.com/',
],
true,
],
]; ];
} }