From daddbf2555f48047ae600e5db454d02b287e2c64 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak Date: Thu, 14 Mar 2013 09:30:13 +0100 Subject: Better handling of session errors in ajax requests - do page reload on 403 Forbidden response (#1488960) --- CHANGELOG | 1 + program/js/app.js | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 6fef2d026..6d0a959a6 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Better handling of session errors in ajax requests (#1488960) - Fix HTML part detection for some specific message structures (#1488992) - Don't show fake address - phishing prevention (#1488981) - Fix forward as attachment bug with editormode != 1 (#1488991) diff --git a/program/js/app.js b/program/js/app.js index 9f76757a6..637d6f5d8 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -6249,6 +6249,14 @@ function rcube_webmail() if (location_url && this.env.action != 'compose') // don't redirect on compose screen, contents might get lost (#1488926) this.redirect(location_url); + // 403 Forbidden response (CSRF prevention) - reload the page. + // In case there's a new valid session it will be used, otherwise + // login form will be presented (#1488960). + if (request.status == 403) { + (this.is_framed() ? parent : window).location.reload(); + return; + } + // re-send keep-alive requests after 30 seconds if (action == 'keep-alive') setTimeout(function(){ ref.keep_alive(); ref.start_keepalive(); }, 30000); -- cgit v1.2.3