vidibus-xss 0.1.7 → 0.1.8

Sign up to get free protection for your applications and to get access to all the features.
data/VERSION CHANGED
@@ -1 +1 @@
1
- 0.1.7
1
+ 0.1.8
@@ -20,6 +20,19 @@ module Vidibus
20
20
 
21
21
  protected
22
22
 
23
+ # Returns true if requesting client is in list of xss clients.
24
+ def xss_client?
25
+ @is_xss_client ||= !!xss_client
26
+ end
27
+
28
+ # Returns requesting client if it is in list of xss clients.
29
+ def xss_client
30
+ @xss_client ||= begin
31
+ return unless origin = request.headers["Origin"]
32
+ xss_clients.detect { |c| c == origin }
33
+ end
34
+ end
35
+
23
36
  # Returns layout for current request format.
24
37
  def get_layout(format = nil)
25
38
  (xss_request? or format == :xss) ? 'xss.haml' : 'application'
@@ -73,7 +86,7 @@ module Vidibus
73
86
  # Set access control headers to allow cross-domain XMLHttpRequest calls.
74
87
  # For more information, see: https://developer.mozilla.org/En/HTTP_access_control
75
88
  def xss_access_control_headers
76
- headers["Access-Control-Allow-Origin"] = xss_clients.join(",")
89
+ headers["Access-Control-Allow-Origin"] = xss_client if xss_client
77
90
  headers["Access-Control-Allow-Methods"] = "GET,PUT,POST,OPTIONS"
78
91
  headers["Access-Control-Allow-Headers"] = "Content-Type,Depth,User-Agent,X-File-Size,X-Requested-With,If-Modified-Since,X-File-Name,Cache-Control"
79
92
  headers["Access-Control-Allow-Credentials"] = "true"
@@ -296,7 +309,7 @@ module Vidibus
296
309
 
297
310
  render_xss(xss)
298
311
  else
299
- if xss_clients.include?(request.headers["Origin"])
312
+ if xss_client?
300
313
  xss_access_control_headers
301
314
  end
302
315
  super(*args, &block)
@@ -316,7 +316,6 @@ $(function($) {
316
316
  type: method.toUpperCase(),
317
317
  beforeSend: function(xhr) {
318
318
  el.trigger('ajax:loading', xhr);
319
- xhr.withCredentials = "true";
320
319
  },
321
320
  success: function(data, status, xhr) {
322
321
  el.trigger('ajax:success', [data, status, xhr]);
@@ -333,17 +332,32 @@ $(function($) {
333
332
  }
334
333
  }
335
334
  });
335
+
336
+ /**
337
+ * Extend xhr object to send credentials and force XMLHttpRequest.
338
+ */
339
+ extendXhr = function(xhr) {
340
+ xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
341
+ try {
342
+ xhr.withCredentials = "true";
343
+ } catch(e) {
344
+ alert('Cannot set xhr with credentials:\n'+e)
345
+ }
346
+ };
347
+
348
+ /**
349
+ * Extends xhr on beforeSend by binding to Rails' ajax:loading event.
350
+ */
351
+ $("body").bind('ajax:loading', function(e, xhr) {
352
+ extendXhr(xhr);
353
+ });
354
+
355
+ /**
356
+ * Try to send xhr request withCredentials.
357
+ * Unfortunately, this has to be set after the connection has been opened.
358
+ * If you set a beforeSend handler yourself, you have to set withCredentials by yourself.
359
+ */
360
+ $.ajaxSettings.beforeSend = function(xhr) {
361
+ extendXhr(xhr);
362
+ };
336
363
  });
337
-
338
- /**
339
- * Try to send xhr request withCredentials.
340
- * Unfortunately, this has to be set after the connection has been opened.
341
- * If you set a beforeSend handler yourself, you have to set withCredentials by yourself.
342
- */
343
- $.ajaxSettings.beforeSend = function(xhr) {
344
- try {
345
- xhr.withCredentials = "true";
346
- } catch(e) {
347
- alert('Cannot set xhr with credentials:\n'+e)
348
- }
349
- };
data/vidibus-xss.gemspec CHANGED
@@ -5,7 +5,7 @@
5
5
 
6
6
  Gem::Specification.new do |s|
7
7
  s.name = %q{vidibus-xss}
8
- s.version = "0.1.7"
8
+ s.version = "0.1.8"
9
9
 
10
10
  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
11
11
  s.authors = ["Andre Pankratz"]
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: vidibus-xss
3
3
  version: !ruby/object:Gem::Version
4
- hash: 21
4
+ hash: 11
5
5
  prerelease: false
6
6
  segments:
7
7
  - 0
8
8
  - 1
9
- - 7
10
- version: 0.1.7
9
+ - 8
10
+ version: 0.1.8
11
11
  platform: ruby
12
12
  authors:
13
13
  - Andre Pankratz