Merge pull request #34810 from cbothner/activestorage-no-undefined-csrf-header

ActiveStorage: Don’t include an undefined X-CSRF-Token header when creating a blob record
author: George Claghorn <george.claghorn@gmail.com> 2018-12-27 17:21:41 -0500
committer: GitHub <noreply@github.com> 2018-12-27 17:21:41 -0500
commit: 75d0a46b6c836dc57b9f78760b1277a242010b52 (patch)
tree: 4b0ca6d6da5ad1d147e6a36febe55c3ea875c296 /activestorage
parent: 4ae8d6182fd9351b9451003f9380d8855f3f5a94 (diff)
parent: 372dda2a2950ad3ae5cf744ed8e3caa69a7ed44b (diff)
download: rails-75d0a46b6c836dc57b9f78760b1277a242010b52.tar.gz
rails-75d0a46b6c836dc57b9f78760b1277a242010b52.tar.bz2
rails-75d0a46b6c836dc57b9f78760b1277a242010b52.zip
3 files changed, 15 insertions, 2 deletions
diff --git a/activestorage/CHANGELOG.md b/activestorage/CHANGELOG.md
index 99f1ef9d86..51890f308b 100644
--- a/activestorage/CHANGELOG.md
+++ b/activestorage/CHANGELOG.md
@@ -1,3 +1,8 @@
+*   It doesn’t include an `X-CSRF-Token` header if a meta tag is not found on
+    the page. It previously included one with a value of `undefined`.
+
+    *Cameron Bothner*
+
 *   Fix `ArgumentError` when uploading to amazon s3
 
     *Hiroki Sanpei*
diff --git a/activestorage/app/assets/javascripts/activestorage.js b/activestorage/app/assets/javascripts/activestorage.js
index b71e251a11..e2bcb520b9 100644
--- a/activestorage/app/assets/javascripts/activestorage.js
+++ b/activestorage/app/assets/javascripts/activestorage.js
@@ -560,7 +560,10 @@
       this.xhr.setRequestHeader("Content-Type", "application/json");
       this.xhr.setRequestHeader("Accept", "application/json");
       this.xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
-      this.xhr.setRequestHeader("X-CSRF-Token", getMetaValue("csrf-token"));
+      var csrfToken = getMetaValue("csrf-token");
+      if (csrfToken != undefined) {
+        this.xhr.setRequestHeader("X-CSRF-Token", csrfToken);
+      }
       this.xhr.addEventListener("load", function(event) {
         return _this.requestDidLoad(event);
       });
diff --git a/activestorage/app/javascript/activestorage/blob_record.js b/activestorage/app/javascript/activestorage/blob_record.js
index ff847892b2..7fbe315f76 100644
--- a/activestorage/app/javascript/activestorage/blob_record.js
+++ b/activestorage/app/javascript/activestorage/blob_record.js
@@ -17,7 +17,12 @@ export class BlobRecord {
     this.xhr.setRequestHeader("Content-Type", "application/json")
     this.xhr.setRequestHeader("Accept", "application/json")
     this.xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest")
-    this.xhr.setRequestHeader("X-CSRF-Token", getMetaValue("csrf-token"))
+
+    const csrfToken = getMetaValue("csrf-token")
+    if (csrfToken != undefined) {
+      this.xhr.setRequestHeader("X-CSRF-Token", csrfToken)
+    }
+
     this.xhr.addEventListener("load", event => this.requestDidLoad(event))
     this.xhr.addEventListener("error", event => this.requestDidError(event))
   }
author	George Claghorn <george.claghorn@gmail.com>	2018-12-27 17:21:41 -0500
committer	GitHub <noreply@github.com>	2018-12-27 17:21:41 -0500
commit	75d0a46b6c836dc57b9f78760b1277a242010b52 (patch)
tree	4b0ca6d6da5ad1d147e6a36febe55c3ea875c296 /activestorage
parent	4ae8d6182fd9351b9451003f9380d8855f3f5a94 (diff)
parent	372dda2a2950ad3ae5cf744ed8e3caa69a7ed44b (diff)
download	rails-75d0a46b6c836dc57b9f78760b1277a242010b52.tar.gz rails-75d0a46b6c836dc57b9f78760b1277a242010b52.tar.bz2 rails-75d0a46b6c836dc57b9f78760b1277a242010b52.zip