# HG changeset patch
# User Alain Mazy <alain@mazy.be>
# Date 1567499606 -7200
# Node ID 1a65beb5e52f01026a66947133d56571503fa9f6
# Parent  5405d51e040d152662e78f05e9fe83104ff4cca1
allow only 'token', 'auth-token' and 'authorization' as url params that are included in HTTP headers

diff -r 5405d51e040d -r 1a65beb5e52f OrthancExplorer/explorer.js
--- a/OrthancExplorer/explorer.js	Tue Sep 03 09:49:10 2019 +0200
+++ b/OrthancExplorer/explorer.js	Tue Sep 03 10:33:26 2019 +0200
@@ -91,28 +91,28 @@
   }
 });
 
-var GetUrlParametersAsDict = function getUrlParametersAsDict(sParam) {
+function GetAuthorizationTokensFromUrl() {
   var urlVariables = window.location.search.substring(1).split('&');
   var dict = {};
 
   for (var i = 0; i < urlVariables.length; i++) {
       var split = urlVariables[i].split('=');
 
-      if (split.length == 2) {
+      if (split.length == 2 && (split[0] == "token" || split[0] == "auth-token" || split[0] == "authorization")) {
         dict[split[0]] = split[1];
       }
   }
   return dict;
 };
 
-var initSearchParams = GetUrlParametersAsDict();
+var authorizationTokens = GetAuthorizationTokensFromUrl();
 
-/* Copy all url search parameters into HTTP headers in every request to the Rest API.  
+/* Copy the authoziation toekn from the url search parameters into HTTP headers in every request to the Rest API.  
 Thanks to this behaviour, you may specify a ?token=xxx in your url and this will be passed 
 as the "token" header in every request to the API allowing you to use the authorization plugin */
 $.ajaxSetup(
   {
-    headers : initSearchParams
+    headers : authorizationTokens
   }
 );