Table of Contents:

  • Overview

    The jrCore_window_location() javascript function is used in a similar way to a standard a href="" would be.

    It allows the browser window to be redirected to a different URL.

    The standard javascript way of doing it would be window.location=.

    The advantage of using the jamroom function instead is that it adds a CSRF cookie to the link which prevents 'Cross Site Request Forgery' attacks.
    Quote: Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.

  • Question

    I have a delete button which is not on a profile, it is in a module view.

    The delete fails on jrCore_validate_location_url(); so I’ve temporarily copied that function to ujModule_validate_location_url(); whilst figuring out why. If I comment out the validate_location_url check everything works fine, but it looks like I need a check for CSRF purposes?
  • Answer

    Yes - it's failing since the CSRF cookie is not present - to get it working all you need to do is make sure your button (or link or whatever) you are linking to this action goes through jrCore_window_location - i.e.
    <a onclick="jrCore_window_location('your delete url');">Click here to delete it</a>
  • The jrCore_window_location ensures the destination URL was reached from the correct action and not as part of a CSRF attack.

    In the receiving view, to validate the request is coming from the proper action, add:


    at the top of the view function.