From 1e04ca7c467b392f8259ccd711613448313a7929 Mon Sep 17 00:00:00 2001 From: Tony Drake Date: Thu, 3 Oct 2024 08:38:07 -0400 Subject: [PATCH] Consider https for same origin check Closes #80 Adds an additional check in `sameHostname` to not include the CSRF token for https requests on different domains. --- __tests__/fetch_request.js | 7 ++++++- src/fetch_request.js | 2 +- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/__tests__/fetch_request.js b/__tests__/fetch_request.js index 482da13..1a2f82e 100644 --- a/__tests__/fetch_request.js +++ b/__tests__/fetch_request.js @@ -223,11 +223,16 @@ describe('header handling', () => { describe('csrf token inclusion', () => { // window.location.hostname is "localhost" in the test suite - test('csrf token is not included in headers if url hostname is not the same as window.location', () => { + test('csrf token is not included in headers if url hostname is not the same as window.location (http)', () => { const request = new FetchRequest("get", "http://removeservice.com/test.json") expect(request.fetchOptions.headers).not.toHaveProperty("X-CSRF-Token") }) + test('csrf token is not included in headers if url hostname is not the same as window.location (https)', () => { + const request = new FetchRequest("get", "https://removeservice.com/test.json") + expect(request.fetchOptions.headers).not.toHaveProperty("X-CSRF-Token") + }) + test('csrf token is included in headers if url hostname is the same as window.location', () => { const request = new FetchRequest("get", "http://localhost/test.json") expect(request.fetchOptions.headers).toHaveProperty("X-CSRF-Token") diff --git a/src/fetch_request.js b/src/fetch_request.js index 2d27f01..11a78bf 100644 --- a/src/fetch_request.js +++ b/src/fetch_request.js @@ -49,7 +49,7 @@ export class FetchRequest { } sameHostname () { - if (!this.originalUrl.startsWith('http:')) { + if (!this.originalUrl.startsWith('http:') && !this.originalUrl.startsWith('https:')) { return true }