Merge pull request #81 from t27duck/80_samehost_https

Consider https for same origin check
rails · Oct 3, 2024 · 7e77fb3 · 7e77fb3
2 parents f3460a1 + 1e04ca7
commit 7e77fb3
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/__tests__/fetch_request.js b/__tests__/fetch_request.js
@@ -223,11 +223,16 @@ describe('header handling', () => {
 
   describe('csrf token inclusion', () => {
     // window.location.hostname is "localhost" in the test suite
-    test('csrf token is not included in headers if url hostname is not the same as window.location', () => {
+    test('csrf token is not included in headers if url hostname is not the same as window.location (http)', () => {
       const request = new FetchRequest("get", "http://removeservice.com/test.json")
       expect(request.fetchOptions.headers).not.toHaveProperty("X-CSRF-Token")
     })
 
+    test('csrf token is not included in headers if url hostname is not the same as window.location (https)', () => {
+      const request = new FetchRequest("get", "https://removeservice.com/test.json")
+      expect(request.fetchOptions.headers).not.toHaveProperty("X-CSRF-Token")
+    })
+
     test('csrf token is included in headers if url hostname is the same as window.location', () => {
       const request = new FetchRequest("get", "http://localhost/test.json")
       expect(request.fetchOptions.headers).toHaveProperty("X-CSRF-Token")

diff --git a/src/fetch_request.js b/src/fetch_request.js
@@ -49,7 +49,7 @@ export class FetchRequest {
   }
 
   sameHostname () {
-    if (!this.originalUrl.startsWith('http:')) {
+    if (!this.originalUrl.startsWith('http:') && !this.originalUrl.startsWith('https:')) {
       return true
     }