experimental CSRF protection

author: Andrew Dolgov <[email protected]> 2011-12-26 12:02:52 +0400
committer: Andrew Dolgov <[email protected]> 2011-12-26 12:02:52 +0400
commit: 8484ce22584b8714622833adcc7ebfe3ef9cf90e (patch)
tree: 057d7a64c3af60e2389d519ba19e476b5fbe6212 /js
parent: 036cd3a4106cf2eee0be72f0695458dfb517976b (diff)
2 files changed, 19 insertions, 1 deletions
diff --git a/js/functions.js b/js/functions.js
index 02134aafa..52201bd65 100644
--- a/js/functions.js
+++ b/js/functions.js
@@ -1,6 +1,25 @@
 var notify_silent = false;
 var loading_progress = 0;
 var sanity_check_done = false;
+var init_params = {};
+
+Ajax.Base.prototype.initialize = Ajax.Base.prototype.initialize.wrap(
+	function (callOriginal, options) {
+
+		if (getInitParam("csrf_token") != undefined) {
+			Object.extend(options, options || { });
+
+			if (Object.isString(options.parameters))
+				options.parameters = options.parameters.toQueryParams();
+			else if (Object.isHash(options.parameters))
+				options.parameters = options.parameters.toObject();
+
+			options.parameters["csrf_token"] = getInitParam("csrf_token");
+		}
+
+		return callOriginal(options);
+	}
+);
 
 /* add method to remove element from array */
 
diff --git a/js/tt-rss.js b/js/tt-rss.js
index 084a21863..4f82545f9 100644
--- a/js/tt-rss.js
+++ b/js/tt-rss.js
@@ -5,7 +5,6 @@ var _active_feed_id = 0;
 var _active_feed_is_cat = false;
 var hotkey_prefix = false;
 var hotkey_prefix_pressed = false;
-var init_params = {};
 var _force_scheduled_update = false;
 var last_scheduled_update = false;
author	Andrew Dolgov <[email protected]>	2011-12-26 12:02:52 +0400
committer	Andrew Dolgov <[email protected]>	2011-12-26 12:02:52 +0400
commit	8484ce22584b8714622833adcc7ebfe3ef9cf90e (patch)
tree	057d7a64c3af60e2389d519ba19e476b5fbe6212 /js
parent	036cd3a4106cf2eee0be72f0695458dfb517976b (diff)