Commit e0c24b5e authored by Franco Fichtner's avatar Franco Fichtner

csrf: zap Content-length setting refused by at least chrome for safety

See: Refused to set unsafe header "Content-length"
parent 3fcda571
...@@ -40,10 +40,6 @@ CsrfMagic.prototype = { ...@@ -40,10 +40,6 @@ CsrfMagic.prototype = {
send: function(data) { send: function(data) {
if (!this.csrf_isPost) return this.csrf_send(data); if (!this.csrf_isPost) return this.csrf_send(data);
prepend = csrfMagicName + '=' + csrfMagicToken + '&'; prepend = csrfMagicName + '=' + csrfMagicToken + '&';
if (this.csrf_purportedLength === undefined) {
this.csrf_setRequestHeader("Content-length", this.csrf_purportedLength + prepend.length);
delete this.csrf_purportedLength;
}
delete this.csrf_isPost; delete this.csrf_isPost;
return this.csrf_send(prepend + data); return this.csrf_send(prepend + data);
}, },
...@@ -52,12 +48,6 @@ CsrfMagic.prototype = { ...@@ -52,12 +48,6 @@ CsrfMagic.prototype = {
}, },
setRequestHeader: function(header, value) { setRequestHeader: function(header, value) {
// We have to auto-set this at the end, since we don't know how long the
// nonce is when added to the data.
if (this.csrf_isPost && header == "Content-length") {
this.csrf_purportedLength = value;
return;
}
return this.csrf_setRequestHeader(header, value); return this.csrf_setRequestHeader(header, value);
}, },
csrf_setRequestHeader: function(header, value) { csrf_setRequestHeader: function(header, value) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment