Skip to content

Commit 9ae0ac6

Browse files
bnasslahsenbnasslahsen
authored
Merge pull request #1470 from sebastien-helbert/master
CSRF header should not be sent to cross domain sites #1469
2 parents d37b96f + 2f7cdc5 commit 9ae0ac6

File tree

1 file changed

+23
-16
lines changed

1 file changed

+23
-16
lines changed

springdoc-openapi-common/src/main/java/org/springdoc/ui/AbstractSwaggerIndexTransformer.java

Lines changed: 23 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -199,18 +199,21 @@ private String addParameter(String html, String key, String value) {
199199
*/
200200
protected String addCSRF(String html) {
201201
StringBuilder stringBuilder = new StringBuilder();
202-
stringBuilder.append("requestInterceptor: (request) => {\n");
203-
stringBuilder.append("const value = `; ${document.cookie}`;\n");
204-
stringBuilder.append("const parts = value.split(`; ");
205-
stringBuilder.append(swaggerUiConfig.getCsrf().getCookieName());
206-
stringBuilder.append("=`);\n");
207-
stringBuilder.append("if (parts.length === 2)\n");
208-
stringBuilder.append("request.headers['");
209-
stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
210-
stringBuilder.append("'] = parts.pop().split(';').shift();\n");
211-
stringBuilder.append("return request;\n");
212-
stringBuilder.append("},\n");
213-
stringBuilder.append(PRESETS);
202+
stringBuilder.append("requestInterceptor: (request) => {\n");
203+
stringBuilder.append("\t\t\tconst value = `; ${document.cookie}`;\n");
204+
stringBuilder.append("\t\t\tconst parts = value.split(`; ");
205+
stringBuilder.append(swaggerUiConfig.getCsrf().getCookieName());
206+
stringBuilder.append("=`);\n");
207+
stringBuilder.append("\t\t\tconst currentURL = new URL(document.URL);\n");
208+
stringBuilder.append("\t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
209+
stringBuilder.append("\t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
210+
stringBuilder.append("\t\t\tif (isSameOrigin && parts.length === 2) ");
211+
stringBuilder.append("request.headers['");
212+
stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
213+
stringBuilder.append("'] = parts.pop().split(';').shift();\n");
214+
stringBuilder.append("\t\t\treturn request;\n");
215+
stringBuilder.append("\t\t},\n");
216+
stringBuilder.append("\t\t" + PRESETS);
214217
return html.replace(PRESETS, stringBuilder.toString());
215218
}
216219

@@ -223,14 +226,18 @@ protected String addCSRF(String html) {
223226
protected String addCSRFLocalStorage(String html) {
224227
StringBuilder stringBuilder = new StringBuilder();
225228
stringBuilder.append("requestInterceptor: (request) => {\n");
226-
stringBuilder.append("const value = window.localStorage.getItem('");
229+
stringBuilder.append("t\t\tconst value = window.localStorage.getItem('");
227230
stringBuilder.append(swaggerUiConfig.getCsrf().getLocalStorageKey() + "');\n");
231+
stringBuilder.append("t\t\tconst currentURL = new URL(document.URL);\n");
232+
stringBuilder.append("t\t\tconst requestURL = new URL(request.url, document.location.origin);\n");
233+
stringBuilder.append("t\t\tconst isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
234+
stringBuilder.append("t\t\tif (isSameOrigin) ");
228235
stringBuilder.append("request.headers['");
229236
stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
230237
stringBuilder.append("'] = value;\n");
231-
stringBuilder.append("return request;\n");
232-
stringBuilder.append("},\n");
233-
stringBuilder.append(PRESETS);
238+
stringBuilder.append("t\t\treturn request;\n");
239+
stringBuilder.append("\t\t},\n");
240+
stringBuilder.append("\t\t" + PRESETS);
234241
return html.replace(PRESETS, stringBuilder.toString());
235242
}
236243

0 commit comments

Comments
 (0)