Commit 009077b5 authored by Elouan Martinet's avatar Elouan Martinet
Browse files

[client] Disable CSRF token when cross origin requests are enabled

This prevents sending our local CSRF token to a 3rd party website, which is a
security issue. The 3rd party website could use this token to forge requests
bypassing the CSRF protection.
parent bab795206316
Pipeline #76392 passed with stages
in 51 minutes and 9 seconds
......@@ -158,7 +158,7 @@ function doRequestFetch(
if (!uri.startsWith('http')) {
uri = 'http://' + uri;
}
if (method !== 'GET' && CSRF_TOKEN !== null) {
if (method !== 'GET' && CSRF_TOKEN !== null && !allowsCrossOrigin) {
headers.append('X-CSRF-Token', CSRF_TOKEN);
}
return fetch(uri, {
......@@ -234,7 +234,7 @@ function requestFetchWithCookies(
allowsCrossOrigin: boolean = false
): Promise<HttpResponse> {
let requestHeaders = new Headers();
if (method !== 'GET' && CSRF_TOKEN !== null) {
if (method !== 'GET' && CSRF_TOKEN !== null && !allowsCrossOrigin) {
requestHeaders.append('X-CSRF-Token', CSRF_TOKEN);
}
let finalContent = content;
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment