Exposure of Sensitive Information to an Unauthorized Actor
jquery_ujs.js in jquery-rails and rails.js in jquery-ujs, as used with Ruby on Rails, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.