Ajax.Request.isSameOrigin() check is insecure #332
Description
Ajax.Request will execute scripts by default because evalJS option defaults to true. This is a security issue which is supposed to be alleviated by "only for same-origin requests" requirements. Unfortunately, that requirement isn't being enforced properly. So while the URL "http://example.com/" isn't considered same-origin, "//example.com/" is. Ajax.Request.isSameOrigin() needs to normalize URLs first, e.g. by passing them to the URL() constructor. This will also allow using url.origin instead of parsing URLs manually.