Commit 3acca93a by Qiang Xue

Enable CSRF validation by default.

parent 41f7a7d2
...@@ -163,6 +163,12 @@ yii = (function ($) { ...@@ -163,6 +163,12 @@ yii = (function ($) {
init: function () { init: function () {
var $document = $(document); var $document = $(document);
$.ajaxPrefilter(function (options, originalOptions, xhr) {
if (!options.crossDomain && pub.getCsrfVar()) {
xhr.setRequestHeader('X-CSRF-TOKEN', pub.getCsrfToken());
}
});
$document.on('click.yii', pub.clickableSelector, function (event) { $document.on('click.yii', pub.clickableSelector, function (event) {
var $this = $(this); var $this = $(this);
if (pub.allowAction($this)) { if (pub.allowAction($this)) {
......
...@@ -76,7 +76,7 @@ class Request extends \yii\base\Request ...@@ -76,7 +76,7 @@ class Request extends \yii\base\Request
const CSRF_HEADER = 'X-CSRF-TOKEN'; const CSRF_HEADER = 'X-CSRF-TOKEN';
/** /**
* @var boolean whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to false. * @var boolean whether to enable CSRF (Cross-Site Request Forgery) validation. Defaults to true.
* When CSRF validation is enabled, forms submitted to an Yii Web application must be originated * When CSRF validation is enabled, forms submitted to an Yii Web application must be originated
* from the same application. If not, a 400 HTTP exception will be raised. * from the same application. If not, a 400 HTTP exception will be raised.
* *
...@@ -90,7 +90,7 @@ class Request extends \yii\base\Request ...@@ -90,7 +90,7 @@ class Request extends \yii\base\Request
* @see Controller::enableCsrfValidation * @see Controller::enableCsrfValidation
* @see http://en.wikipedia.org/wiki/Cross-site_request_forgery * @see http://en.wikipedia.org/wiki/Cross-site_request_forgery
*/ */
public $enableCsrfValidation = false; public $enableCsrfValidation = true;
/** /**
* @var string the name of the token used to prevent CSRF. Defaults to '_csrf'. * @var string the name of the token used to prevent CSRF. Defaults to '_csrf'.
* This property is used only when [[enableCsrfValidation]] is true. * This property is used only when [[enableCsrfValidation]] is true.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment