From 3acca93ad3b4d1d5340730c19f6e932fbb4549af Mon Sep 17 00:00:00 2001 From: Qiang Xue Date: Fri, 20 Sep 2013 15:04:28 -0400 Subject: [PATCH] Enable CSRF validation by default. --- framework/yii/assets/yii.js | 6 ++++++ framework/yii/web/Request.php | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/framework/yii/assets/yii.js b/framework/yii/assets/yii.js index 99a314e..22f92a5 100644 --- a/framework/yii/assets/yii.js +++ b/framework/yii/assets/yii.js @@ -163,6 +163,12 @@ yii = (function ($) { init: function () { var $document = $(document); + $.ajaxPrefilter(function (options, originalOptions, xhr) { + if (!options.crossDomain && pub.getCsrfVar()) { + xhr.setRequestHeader('X-CSRF-TOKEN', pub.getCsrfToken()); + } + }); + $document.on('click.yii', pub.clickableSelector, function (event) { var $this = $(this); if (pub.allowAction($this)) { diff --git a/framework/yii/web/Request.php b/framework/yii/web/Request.php index a07deaa..76c8883 100644 --- a/framework/yii/web/Request.php +++ b/framework/yii/web/Request.php @@ -76,7 +76,7 @@ class Request extends \yii\base\Request const CSRF_HEADER = 'X-CSRF-TOKEN'; /** - * @var boolean whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to false. + * @var boolean whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true. * When CSRF validation is enabled, forms submitted to an Yii Web application must be originated * from the same application. If not, a 400 HTTP exception will be raised. * @@ -90,7 +90,7 @@ class Request extends \yii\base\Request * @see Controller::enableCsrfValidation * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery */ - public $enableCsrfValidation = false; + public $enableCsrfValidation = true; /** * @var string the name of the token used to prevent CSRF. Defaults to '_csrf'. * This property is used only when [[enableCsrfValidation]] is true.