[Owncloud] Race condition with CSRF protection token initialization

[Christian Reiner]

Hello all, 
I experience problems during app initialization from time to time. These 
problems can be tracked down to a race condition in the app setup. It is a 
general issue with the CSRF protection: 

When using an ajax call during app initialization (say to fetch additional 
dialogs or something) this is usually done inside a dynamic function called 
from within a jquery $(document).ready() call. For these ajax calls the CSRF 
protection token is required to be present, or better the token has to be 
bound as an additional request parameter to all calls. This binding is done by 
a small js script embedded in the pages head section. It is meant to be run 
after jquery is present but before any further action is started. 

However now and then it happens that the initializing ajax calls are fired 
_before_ that binding is completed. Therefore the ajax calls fail (CSRF 
protection), thus the apps fail to initialize. I managed to reduce these 
problems by wrapping them inside a $(window).load() instead of a 
$(document).ready(), but this is far from being a good idea. Besides an 
obvious performance penalty this does not reliably fix the problem. Another 
strategy might be to check if the binding has occurred already (or wait for it 
if not). But this is clearly the wrong place to fix this issue. 

The inclusion of the CSRF protection token has to be changed in such way that 
it is guaranteed that the token is bound before any further code (OC or app 
specific) is started. 

Anyone got an idea for this?

-- 
Christian Reiner (arkascha)
[ foss at christian-reiner.info ]