[chrome/xsrf] if a user sends a custom xsrfToken, it should be ignored

elastic · Dec 9, 2015 · fadadb8 · fadadb8
1 parent b0a36de
commit fadadb8
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/src/ui/public/chrome/api/__tests__/xsrf.js b/src/ui/public/chrome/api/__tests__/xsrf.js
@@ -112,10 +112,10 @@ describe('chrome xsrf apis', function () {
         $httpBackend.flush();
       });
 
-      it('accepts alternate tokens to use', function () {
+      it('treats the kbnXsrfToken option as boolean-y', function () {
         const customToken = `custom:${version}`;
         $httpBackend.expectPOST('/api/test', undefined, function (headers) {
-          return headers[xsrfHeader] === customToken;
+          return headers[xsrfHeader] === version;
         }).respond(200, '');
 
         $http({

diff --git a/src/ui/public/chrome/api/xsrf.js b/src/ui/public/chrome/api/xsrf.js
@@ -7,19 +7,19 @@ export default function (chrome, internals) {
     return internals.version;
   };
 
-  $.ajaxPrefilter(function ({ kbnXsrfToken = internals.version }, originalOptions, jqXHR) {
+  $.ajaxPrefilter(function ({ kbnXsrfToken = true }, originalOptions, jqXHR) {
     if (kbnXsrfToken) {
-      jqXHR.setRequestHeader('kbn-version', kbnXsrfToken);
+      jqXHR.setRequestHeader('kbn-version', internals.version);
     }
   });
 
   chrome.$setupXsrfRequestInterceptor = function ($httpProvider) {
     $httpProvider.interceptors.push(function () {
       return {
         request: function (opts) {
-          const { kbnXsrfToken = internals.version } = opts;
+          const { kbnXsrfToken = true } = opts;
           if (kbnXsrfToken) {
-            set(opts, ['headers', 'kbn-version'], kbnXsrfToken);
+            set(opts, ['headers', 'kbn-version'], internals.version);
           }
           return opts;
         }