httpRequestMixin #172 - Githubissues

djaodjin / djaodjin-saas

Django application for software-as-service and subscription businesses

Other

564 stars 124 forks source link

httpRequestMixin #172 #178

Closed knivets closed 5 years ago

smirolo commented 5 years ago

Can we have get, post, put, patch, delete methods in the httpMixin? with parameters:

url
data (only on post/put/patch)
success callback
failure callback.

The idea is that httpMixin methods adds the contentType, dataType and authorization headers to prevent issues like CVE-2015-9251.

knivets commented 5 years ago

A contentType or etc can be added inside req by augmenting params argument

knivets commented 5 years ago

So the only usecase for those methods here is to not type method: ‘post’ inside params

smirolo commented 5 years ago

The rationale is to simply the interface for ajax calls done by the components such as to mitigate potential issues like CVE-2015-9251: "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed."

knivets commented 5 years ago

Maybe I'm missing something but can't we add the needed parameters inside the req implementation, like this:

req: function(params, doneCb, failCb){
  if(!failCb) failCb = handleRequestError;
  params.contentType = 'application/json';
  params.authentication = 'http';
  return $.ajax(params).done(doneCb).fail(failCb);
},