Skip to content

Commit

Permalink
CSRF header should not be sent to cross domain sites #1469
Browse files Browse the repository at this point in the history
  • Loading branch information
shelbert committed Jan 26, 2022
1 parent 6befd4e commit a9cea74
Showing 1 changed file with 8 additions and 1 deletion.
Original file line number Diff line number Diff line change
Expand Up @@ -204,7 +204,10 @@ protected String addCSRF(String html) {
stringBuilder.append("const parts = value.split(`; ");
stringBuilder.append(swaggerUiConfig.getCsrf().getCookieName());
stringBuilder.append("=`);\n");
stringBuilder.append("if (parts.length === 2)\n");
stringBuilder.append("const currentURL = new URL(document.URL);\n");
stringBuilder.append("const requestURL = new URL(request.url, document.location.origin);\n");
stringBuilder.append("const isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
stringBuilder.append("if (isSameOrigin && parts.length === 2) ");
stringBuilder.append("request.headers['");
stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
stringBuilder.append("'] = parts.pop().split(';').shift();\n");
Expand All @@ -225,6 +228,10 @@ protected String addCSRFLocalStorage(String html) {
stringBuilder.append("requestInterceptor: (request) => {\n");
stringBuilder.append("const value = window.localStorage.getItem('");
stringBuilder.append(swaggerUiConfig.getCsrf().getLocalStorageKey() + "');\n");
stringBuilder.append("const currentURL = new URL(document.URL);\n");
stringBuilder.append("const requestURL = new URL(request.url, document.location.origin);\n");
stringBuilder.append("const isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
stringBuilder.append("if (isSameOrigin) ");
stringBuilder.append("request.headers['");
stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
stringBuilder.append("'] = value;\n");
Expand Down

0 comments on commit a9cea74

Please sign in to comment.