From 96eccc362cfa300cc8a2c41b47bb175563af1572 Mon Sep 17 00:00:00 2001 From: Krzysztof Tarnowski Date: Sun, 6 Mar 2011 21:28:34 +0100 Subject: [PATCH 1/6] Added utility function for getting cookie value. --- lib/util.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/util.js b/lib/util.js index b5875721e..51caa3ee4 100644 --- a/lib/util.js +++ b/lib/util.js @@ -41,7 +41,11 @@ isArray: function(obj){ return Object.prototype.toString.call(obj) === '[object Array]'; }, - + getCookie: function(name){ + var r = document.cookie.match("\\b" + name + "=([^;]*)\\b"); + return r ? r[1] : undefined; + }, + merge: function(target, additional){ for (var i in additional) if (additional.hasOwnProperty(i)) From 912b6ce25f28db0e33825632ea738babf6346b72 Mon Sep 17 00:00:00 2001 From: Krzysztof Tarnowski Date: Sun, 6 Mar 2011 21:29:05 +0100 Subject: [PATCH 2/6] Fixed an issue with mixed tabs and spaces. --- lib/util.js | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/lib/util.js b/lib/util.js index 51caa3ee4..24833cdc7 100644 --- a/lib/util.js +++ b/lib/util.js @@ -45,12 +45,11 @@ var r = document.cookie.match("\\b" + name + "=([^;]*)\\b"); return r ? r[1] : undefined; }, - - merge: function(target, additional){ - for (var i in additional) - if (additional.hasOwnProperty(i)) - target[i] = additional[i]; - } + merge: function(target, additional){ + for (var i in additional) + if (additional.hasOwnProperty(i)) + target[i] = additional[i]; + }, }; From 5fd3d594757576d92b9027096663bd697b32a3f1 Mon Sep 17 00:00:00 2001 From: Krzysztof Tarnowski Date: Sun, 6 Mar 2011 21:32:48 +0100 Subject: [PATCH 3/6] Patched Socket.IO XHR transport to include X-XSRFToken header. The header is required by the Tornado XSRF protection mechanism. See Tornado documentation for details. --- lib/transports/xhr.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/transports/xhr.js b/lib/transports/xhr.js index 3fb4503fd..e2be2d48a 100644 --- a/lib/transports/xhr.js +++ b/lib/transports/xhr.js @@ -115,6 +115,9 @@ if (multipart) req.multipart = true; req.open(method || 'GET', this._prepareUrl() + (url ? '/' + url : '')); if (method == 'POST' && 'setRequestHeader' in req){ + secureCookie = io.util.getCookie('_xsrf'); + if (secureCookie) req.setRequestHeader('X-XSRFToken', secureCookie); + req.setRequestHeader('Content-type', 'application/x-www-form-urlencoded; charset=utf-8'); } return req; From 5ba869a7d9c1fdbe553fb31763dfae594daa4296 Mon Sep 17 00:00:00 2001 From: Krzysztof Tarnowski Date: Sun, 6 Mar 2011 21:35:22 +0100 Subject: [PATCH 4/6] Fixed an issues with messed up indentation. --- lib/transports/xhr.js | 50 +++++++++++++++++++++---------------------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/lib/transports/xhr.js b/lib/transports/xhr.js index e2be2d48a..48aa3e2f6 100644 --- a/lib/transports/xhr.js +++ b/lib/transports/xhr.js @@ -1,6 +1,6 @@ /** * Socket.IO client - * + * * @author Guillermo Rauch * @license The MIT license. * @copyright Copyright (c) 2010 LearnBoost @@ -8,16 +8,16 @@ (function(){ var io = this.io; - + var empty = new Function, - + XMLHttpRequestCORS = (function(){ if (!('XMLHttpRequest' in window)) return false; // CORS feature detection var a = new XMLHttpRequest(); return a.withCredentials != undefined; })(), - + request = function(xdomain){ if ('XDomainRequest' in window && xdomain) return new XDomainRequest(); if ('XMLHttpRequest' in window && (!xdomain || XMLHttpRequestCORS)) return new XMLHttpRequest(); @@ -26,7 +26,7 @@ var a = new ActiveXObject('MSXML2.XMLHTTP'); return a; } catch(e){} - + try { var b = new ActiveXObject('Microsoft.XMLHTTP'); return b; @@ -34,19 +34,19 @@ } return false; }, - + XHR = io.Transport.XHR = function(){ io.Transport.apply(this, arguments); this._sendBuffer = []; }; - + io.util.inherit(XHR, io.Transport); - + XHR.prototype.connect = function(){ this._get(); return this; }; - + XHR.prototype._checkSend = function(){ if (!this._posting && this._sendBuffer.length){ var encoded = this._encode(this._sendBuffer); @@ -54,7 +54,7 @@ this._send(encoded); } }; - + XHR.prototype.send = function(data){ if (io.util.isArray(data)){ this._sendBuffer.push.apply(this._sendBuffer, data); @@ -64,7 +64,7 @@ this._checkSend(); return this; }; - + XHR.prototype._send = function(data){ var self = this; this._posting = true; @@ -84,32 +84,32 @@ }; this._sendXhr.send('data=' + encodeURIComponent(data)); }; - + XHR.prototype.disconnect = function(){ // send disconnection signal this._onDisconnect(); return this; }; - + XHR.prototype._onDisconnect = function(){ if (this._xhr){ this._xhr.onreadystatechange = empty; - try { - this._xhr.abort(); - } catch(e){} + try { + this._xhr.abort(); + } catch(e){} this._xhr = null; } if (this._sendXhr){ - this._sendXhr.onreadystatechange = empty; - try { - this._sendXhr.abort(); - } catch(e){} + this._sendXhr.onreadystatechange = empty; + try { + this._sendXhr.abort(); + } catch(e){} this._sendXhr = null; } this._sendBuffer = []; io.Transport.prototype._onDisconnect.call(this); }; - + XHR.prototype._request = function(url, method, multipart){ var req = request(this.base._isXDomain()); if (multipart) req.multipart = true; @@ -122,18 +122,18 @@ } return req; }; - + XHR.check = function(xdomain){ try { if (request(xdomain)) return true; } catch(e){} return false; }; - + XHR.xdomainCheck = function(){ return XHR.check(true); }; - + XHR.request = request; - + })(); From 745a9da70b8498a0ed568350acb2f1ca54485947 Mon Sep 17 00:00:00 2001 From: Krzysztof Tarnowski Date: Sun, 6 Mar 2011 21:39:30 +0100 Subject: [PATCH 5/6] Patched Socket.IO JSONP transport to include _xsrf post argument on each request. The change is required for the Socket.IO to work with Tornado's XSRF protection. --- lib/transports/jsonp-polling.js | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/lib/transports/jsonp-polling.js b/lib/transports/jsonp-polling.js index 6f6829f78..30fb1577a 100644 --- a/lib/transports/jsonp-polling.js +++ b/lib/transports/jsonp-polling.js @@ -38,6 +38,16 @@ form.action = this._prepareUrl() + '/' + (+new Date) + '/' + this._index; area.name = 'data'; form.appendChild(area); + //Tornado + secureCookie = io.util.getCookie('_xsrf'); + if (secureCookie) { + input = document.createElement('input'); + input.type = 'hidden'; + input.name = '_xsrf'; + input.value = secureCookie; + form.appendChild(input); + } + this._insertAt.parentNode.insertBefore(form, this._insertAt); document.body.appendChild(form); @@ -117,4 +127,4 @@ JSONPPolling.xdomainCheck = function(){ return true; }; -})(); \ No newline at end of file +})(); From d20d9db0ae3d07d7498a3bafa015219de264c4cc Mon Sep 17 00:00:00 2001 From: Krzysztof Tarnowski Date: Sun, 6 Mar 2011 21:40:36 +0100 Subject: [PATCH 6/6] Fixed an issue with messed up indentation. --- lib/transports/jsonp-polling.js | 42 ++++++++++++++++----------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/lib/transports/jsonp-polling.js b/lib/transports/jsonp-polling.js index 30fb1577a..f2d0cb221 100644 --- a/lib/transports/jsonp-polling.js +++ b/lib/transports/jsonp-polling.js @@ -8,20 +8,20 @@ (function(){ var io = this.io; - + io.JSONP = []; - + JSONPPolling = io.Transport['jsonp-polling'] = function(){ io.Transport.XHR.apply(this, arguments); this._insertAt = document.getElementsByTagName('script')[0]; this._index = io.JSONP.length; io.JSONP.push(this); }; - + io.util.inherit(JSONPPolling, io.Transport['xhr-polling']); - + JSONPPolling.prototype.type = 'jsonp-polling'; - + JSONPPolling.prototype._send = function(data){ var self = this; if (!('_form' in this)){ @@ -29,7 +29,7 @@ area = document.createElement('TEXTAREA'), id = this._iframeId = 'socket_io_iframe_' + this._index, iframe; - + form.style.position = 'absolute'; form.style.top = '-1000px'; form.style.left = '-1000px'; @@ -50,22 +50,22 @@ this._insertAt.parentNode.insertBefore(form, this._insertAt); document.body.appendChild(form); - + this._form = form; this._area = area; } - + function complete(){ initIframe(); self._posting = false; self._checkSend(); }; - + function initIframe(){ if (self._iframe){ self._form.removeChild(self._iframe); - } - + } + try { // ie6 dynamic iframes with target="" support (thanks Chris Lambacher) iframe = document.createElement('