From 372dda2a2950ad3ae5cf744ed8e3caa69a7ed44b Mon Sep 17 00:00:00 2001
From: Cameron Bothner <cameronbothner@gmail.com>
Date: Thu, 27 Dec 2018 12:44:04 -0500
Subject: =?UTF-8?q?Don=E2=80=99t=20include=20an=20undefined=20X-CSRF-Token?=
 =?UTF-8?q?=20header?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If there is not a `csrf-token` meta tag in the document, the blob record
XHR was including an `X-CSRF-Token` header set to the string
"undefined." Instead of setting it to undefined, it should not be
included in the absence of a meta tag.
---
 activestorage/app/assets/javascripts/activestorage.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'activestorage/app/assets/javascripts/activestorage.js')

diff --git a/activestorage/app/assets/javascripts/activestorage.js b/activestorage/app/assets/javascripts/activestorage.js
index b71e251a11..e2bcb520b9 100644
--- a/activestorage/app/assets/javascripts/activestorage.js
+++ b/activestorage/app/assets/javascripts/activestorage.js
@@ -560,7 +560,10 @@
       this.xhr.setRequestHeader("Content-Type", "application/json");
       this.xhr.setRequestHeader("Accept", "application/json");
       this.xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
-      this.xhr.setRequestHeader("X-CSRF-Token", getMetaValue("csrf-token"));
+      var csrfToken = getMetaValue("csrf-token");
+      if (csrfToken != undefined) {
+        this.xhr.setRequestHeader("X-CSRF-Token", csrfToken);
+      }
       this.xhr.addEventListener("load", function(event) {
         return _this.requestDidLoad(event);
       });
-- 
cgit v1.2.3