From b3a46135955d0f1d3e3d39185ef977996c8cce9a Mon Sep 17 00:00:00 2001
From: Luke Plant <L.Plant.98@cantab.net>
Date: Mon, 9 May 2011 15:45:10 +0000
Subject: [PATCH] [1.3.X] Fixed #15869 - example AJAX code in CSRF docs fails
 sometimes for IE7 or absolute same origin URLs

Thanks to nick for the report.

Backport of [16183] from trunk.

git-svn-id: http://code.djangoproject.com/svn/django/branches/releases/1.3.X@16184 bcc190cf-cafb-0310-a4f2-bffc1f526a37
---
 docs/ref/contrib/csrf.txt | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/docs/ref/contrib/csrf.txt b/docs/ref/contrib/csrf.txt
index c28bd0319f..31f377312d 100644
--- a/docs/ref/contrib/csrf.txt
+++ b/docs/ref/contrib/csrf.txt
@@ -96,7 +96,7 @@ that allow headers to be set on every request. In jQuery, you can use the
 
 .. code-block:: javascript
 
-    $('html').ajaxSend(function(event, xhr, settings) {
+    $(document).ajaxSend(function(event, xhr, settings) {
         function getCookie(name) {
             var cookieValue = null;
             if (document.cookie && document.cookie != '') {
@@ -112,8 +112,19 @@ that allow headers to be set on every request. In jQuery, you can use the
             }
             return cookieValue;
         }
-        if (!(/^http:.*/.test(settings.url) || /^https:.*/.test(settings.url))) {
-            // Only send the token to relative URLs i.e. locally.
+        function sameOrigin(url) {
+            // url could be relative or scheme relative or absolute
+            var host = document.location.host; // host + port
+            var protocol = document.location.protocol;
+            var sr_origin = '//' + host;
+            var origin = protocol + sr_origin;
+            // Allow absolute or scheme relative URLs to same origin
+            return (url == origin || url.slice(0, origin.length + 1) == origin + '/') ||
+                (url == sr_origin || url.slice(0, sr_origin.length + 1) == sr_origin + '/') ||
+                // or any other URL that isn't scheme relative or absolute i.e relative.
+                !(/^(\/\/|http:|https:).*/.test(url));
+        }
+        if (sameOrigin(settings.url)) {
             xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
         }
     });