Merge pull request #81 from t27duck/80_samehost_https

marcelolx · web-flow · commit 7e77fb30a60e · 2024-10-03T10:00:36.000-03:00
Consider https for same origin check
diff --git a/__tests__/fetch_request.js b/__tests__/fetch_request.js
@@ -223,11 +223,16 @@ describe('header handling', () => {
 
   describe('csrf token inclusion', () => {
     // window.location.hostname is "localhost" in the test suite
-    test('csrf token is not included in headers if url hostname is not the same as window.location', () => {
+    test('csrf token is not included in headers if url hostname is not the same as window.location (http)', () => {
       const request = new FetchRequest("get", "http://removeservice.com/test.json")
       expect(request.fetchOptions.headers).not.toHaveProperty("X-CSRF-Token")
     })
 
+    test('csrf token is not included in headers if url hostname is not the same as window.location (https)', () => {
+      const request = new FetchRequest("get", "https://removeservice.com/test.json")
+      expect(request.fetchOptions.headers).not.toHaveProperty("X-CSRF-Token")
+    })
+
     test('csrf token is included in headers if url hostname is the same as window.location', () => {
       const request = new FetchRequest("get", "http://localhost/test.json")
       expect(request.fetchOptions.headers).toHaveProperty("X-CSRF-Token")
diff --git a/src/fetch_request.js b/src/fetch_request.js
@@ -49,7 +49,7 @@ export class FetchRequest {
   }
 
   sameHostname () {
-    if (!this.originalUrl.startsWith('http:')) {
+    if (!this.originalUrl.startsWith('http:') && !this.originalUrl.startsWith('https:')) {
       return true
     }
 

Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,7 @@ export class FetchRequest {`
`49`	`49`	`}`
`50`	`50`
`51`	`51`	`sameHostname () {`
`52`		`- if (!this.originalUrl.startsWith('http:')) {`
	`52`	`+ if (!this.originalUrl.startsWith('http:') && !this.originalUrl.startsWith('https:')) {`
`53`	`53`	`return true`
`54`	`54`	`}`
`55`	`55`