JAMROOM
jrCore_window_location()
-
The jrCore_window_location() javascript function is used in a similar way to a standard a href="" would be.
Overview
It allows the browser window to be redirected to a different URL.
The standard javascript way of doing it would be window.location=.
The advantage of using the jamroom function instead is that it adds a CSRF cookie to the link which prevents 'Cross Site Request Forgery' attacks.
Quote: Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF (sometimes pronounced sea-surf) or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts.
-
Question comes from this forum thread: https://www.jamroom.net/the-jamroom-network/forum/jamroom-developers/6538/jrcore-validate-location-url
-
I have a delete button which is not on a profile, it is in a module view.
Question
The delete fails on jrCore_validate_location_url(); so I’ve temporarily copied that function to ujModule_validate_location_url(); whilst figuring out why. If I comment out the validate_location_url check everything works fine, but it looks like I need a check for CSRF purposes?
-
Yes - it's failing since the CSRF cookie is not present - to get it working all you need to do is make sure your button (or link or whatever) you are linking to this action goes through jrCore_window_location - i.e.
Answer
<a onclick="jrCore_window_location('your delete url');">Click here to delete it</a> -
The jrCore_window_location ensures the destination URL was reached from the correct action and not as part of a CSRF attack.
In the receiving view, to validate the request is coming from the proper action, add:
jrCore_validate_location_url();
at the top of the view function.
