Fossil SCM
Allow /sitemap to accept the popup query parameter as GET as long as the incoming request is from the same origin. This is probably sufficient to prevent revealing URLs to robots. And the use of GET seems to be more in keeping with the REST idea.
Commit
2804c71a43df0cd9f7c0364a735180e9e58247ea66eb43913f8166fa82a92c89
Parent
ee0f77dffac49cb…
2 files changed
+2
-3
+1
-1
+2
-3
| --- skins/default/js.txt | ||
| +++ skins/default/js.txt | ||
| @@ -123,14 +123,13 @@ | ||
| 123 | 123 | panel.style.display = 'block'; |
| 124 | 124 | } |
| 125 | 125 | } |
| 126 | 126 | // else, can't parse response as HTML or XML |
| 127 | 127 | } |
| 128 | - xhr.open("POST", "$home/sitemap"); // note the TH1 substitution! | |
| 129 | - xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); | |
| 128 | + xhr.open("GET", "$home/sitemap?popup"); // note the TH1 substitution! | |
| 130 | 129 | xhr.responseType = "document"; |
| 131 | - xhr.send("popup=1"); | |
| 130 | + xhr.send(); | |
| 132 | 131 | } |
| 133 | 132 | else { |
| 134 | 133 | showPanel(); // just show what we built above |
| 135 | 134 | } |
| 136 | 135 | return false; // prevent browser from acting on <a> click |
| 137 | 136 |
| --- skins/default/js.txt | |
| +++ skins/default/js.txt | |
| @@ -123,14 +123,13 @@ | |
| 123 | panel.style.display = 'block'; |
| 124 | } |
| 125 | } |
| 126 | // else, can't parse response as HTML or XML |
| 127 | } |
| 128 | xhr.open("POST", "$home/sitemap"); // note the TH1 substitution! |
| 129 | xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); |
| 130 | xhr.responseType = "document"; |
| 131 | xhr.send("popup=1"); |
| 132 | } |
| 133 | else { |
| 134 | showPanel(); // just show what we built above |
| 135 | } |
| 136 | return false; // prevent browser from acting on <a> click |
| 137 |
| --- skins/default/js.txt | |
| +++ skins/default/js.txt | |
| @@ -123,14 +123,13 @@ | |
| 123 | panel.style.display = 'block'; |
| 124 | } |
| 125 | } |
| 126 | // else, can't parse response as HTML or XML |
| 127 | } |
| 128 | xhr.open("GET", "$home/sitemap?popup"); // note the TH1 substitution! |
| 129 | xhr.responseType = "document"; |
| 130 | xhr.send(); |
| 131 | } |
| 132 | else { |
| 133 | showPanel(); // just show what we built above |
| 134 | } |
| 135 | return false; // prevent browser from acting on <a> click |
| 136 |
+1
-1
| --- src/sitemap.c | ||
| +++ src/sitemap.c | ||
| @@ -43,11 +43,11 @@ | ||
| 43 | 43 | { "License", "sitemap-license" }, |
| 44 | 44 | { "Contact", "sitemap-contact" }, |
| 45 | 45 | }; |
| 46 | 46 | |
| 47 | 47 | login_check_credentials(); |
| 48 | - if( P("popup")!=0 && cgi_csrf_safe(1) ){ | |
| 48 | + if( P("popup")!=0 && cgi_csrf_safe(0) ){ | |
| 49 | 49 | /* If this is a POST from the same origin with the popup=1 parameter, |
| 50 | 50 | ** then disable anti-robot defenses */ |
| 51 | 51 | isPopup = 1; |
| 52 | 52 | g.perm.Hyperlink = 1; |
| 53 | 53 | g.javascriptHyperlink = 0; |
| 54 | 54 |
| --- src/sitemap.c | |
| +++ src/sitemap.c | |
| @@ -43,11 +43,11 @@ | |
| 43 | { "License", "sitemap-license" }, |
| 44 | { "Contact", "sitemap-contact" }, |
| 45 | }; |
| 46 | |
| 47 | login_check_credentials(); |
| 48 | if( P("popup")!=0 && cgi_csrf_safe(1) ){ |
| 49 | /* If this is a POST from the same origin with the popup=1 parameter, |
| 50 | ** then disable anti-robot defenses */ |
| 51 | isPopup = 1; |
| 52 | g.perm.Hyperlink = 1; |
| 53 | g.javascriptHyperlink = 0; |
| 54 |
| --- src/sitemap.c | |
| +++ src/sitemap.c | |
| @@ -43,11 +43,11 @@ | |
| 43 | { "License", "sitemap-license" }, |
| 44 | { "Contact", "sitemap-contact" }, |
| 45 | }; |
| 46 | |
| 47 | login_check_credentials(); |
| 48 | if( P("popup")!=0 && cgi_csrf_safe(0) ){ |
| 49 | /* If this is a POST from the same origin with the popup=1 parameter, |
| 50 | ** then disable anti-robot defenses */ |
| 51 | isPopup = 1; |
| 52 | g.perm.Hyperlink = 1; |
| 53 | g.javascriptHyperlink = 0; |
| 54 |