From fce100a46c5681562253c3a856d67bbd35fbc2f2 Mon Sep 17 00:00:00 2001
From: Rado Kirov
Date: Fri, 28 Sep 2012 15:43:01 -0700
Subject: fix($http): only set X-XSFR-TOKEN header for same-domain request

This is needed to prevent CORS preflight checks. The XSFR token
is quite useless for CORS requests anyway.

BREAKING CHANGE: X-XSFR-TOKEN is no longer send for cross domain
requests. This shouldn't affect any known production service.

Closes #1096
---
 test/ng/httpSpec.js | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

(limited to 'test')

diff --git a/test/ng/httpSpec.js b/test/ng/httpSpec.js
index 5049a218..1473ab1c 100644
--- a/test/ng/httpSpec.js
+++ b/test/ng/httpSpec.js
@@ -430,6 +430,17 @@ describe('$http', function() {
         $httpBackend.flush();
       });
 
+      it('should not set XSRF cookie for cross-domain requests', inject(function($browser) {
+        $browser.cookies('XSRF-TOKEN', 'secret');
+        $browser.url('http://host.com/base');
+        $httpBackend.expect('GET', 'http://www.test.com/url', undefined, function(headers) {
+          return headers['X-XSRF-TOKEN'] === undefined;
+        }).respond('');
+
+        $http({url: 'http://www.test.com/url', method: 'GET', headers: {}});
+        $httpBackend.flush();
+      }));
+
 
       it('should not send Content-Type header if request data/body is undefined', function() {
         $httpBackend.expect('POST', '/url', undefined, function(headers) {
@@ -1005,4 +1016,25 @@ describe('$http', function() {
 
     $httpBackend.verifyNoOutstandingExpectation = noop;
   });
+
+  describe('isSameDomain', function() {
+    it('should support various combinations of urls', function() {
+      expect(isSameDomain('path/morepath',
+                          'http://www.adomain.com')).toBe(true);
+      expect(isSameDomain('http://www.adomain.com/path',
+                          'http://www.adomain.com')).toBe(true);
+      expect(isSameDomain('//www.adomain.com/path',
+                          'http://www.adomain.com')).toBe(true);
+      expect(isSameDomain('//www.adomain.com/path',
+                          'https://www.adomain.com')).toBe(true);
+      expect(isSameDomain('//www.adomain.com/path',
+                          'http://www.adomain.com:1234')).toBe(false);
+      expect(isSameDomain('https://www.adomain.com/path',
+                          'http://www.adomain.com')).toBe(false);
+      expect(isSameDomain('http://www.adomain.com:1234/path',
+                          'http://www.adomain.com')).toBe(false);
+      expect(isSameDomain('http://www.anotherdomain.com/path',
+                          'http://www.adomain.com')).toBe(false);
+    });
+  });
 });
-- 
cgit v1.2.3