Ajax.Request will execute scripts by default because evalJS option defaults to true. This is a security issue which is supposed to be alleviated by "only for same-origin requests" requirements. Unfortunately, that requirement isn't being enforced properly. So while the URL "http://example.com/" isn't considered same-origin, "//example.com/" is. Ajax.Request.isSameOrigin() needs to normalize URLs first, e.g. by passing them to the URL() constructor. This will also allow using url.origin instead of parsing URLs manually.
Ajax.Request will execute scripts by default because
evalJSoption defaults totrue. This is a security issue which is supposed to be alleviated by "only for same-origin requests" requirements. Unfortunately, that requirement isn't being enforced properly. So while the URL "http://example.com/" isn't considered same-origin, "//example.com/" is.Ajax.Request.isSameOrigin()needs to normalize URLs first, e.g. by passing them to theURL()constructor. This will also allow usingurl.origininstead of parsing URLs manually.