From aa50e0ab77b5af8c53c50fe3b271892f8eeeea82 Mon Sep 17 00:00:00 2001 From: Yusuke Wada Date: Tue, 15 Oct 2024 17:16:47 +0900 Subject: [PATCH] Merge commit from fork --- src/middleware/csrf/index.test.ts | 9 +++++++++ src/middleware/csrf/index.ts | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/src/middleware/csrf/index.test.ts b/src/middleware/csrf/index.test.ts index 517d7a62..38537e5b 100644 --- a/src/middleware/csrf/index.test.ts +++ b/src/middleware/csrf/index.test.ts @@ -206,6 +206,15 @@ describe('CSRF by Middleware', () => { expect(res.status).toBe(403) expect(simplePostHandler).not.toHaveBeenCalled() }) + + it('should be 403 if the content-type is not set', async () => { + const res = await app.request('/form', { + method: 'POST', + body: new Blob(['test'], {}), + }) + expect(res.status).toBe(403) + expect(simplePostHandler).not.toHaveBeenCalled() + }) }) describe('with origin option', () => { diff --git a/src/middleware/csrf/index.ts b/src/middleware/csrf/index.ts index ae622c3f..44881b7b 100644 --- a/src/middleware/csrf/index.ts +++ b/src/middleware/csrf/index.ts @@ -76,7 +76,7 @@ export const csrf = (options?: CSRFOptions): MiddlewareHandler => { return async function csrf(c, next) { if ( !isSafeMethodRe.test(c.req.method) && - isRequestedByFormElementRe.test(c.req.header('content-type') || '') && + isRequestedByFormElementRe.test(c.req.header('content-type') || 'text/plain') && !isAllowedOrigin(c.req.header('origin'), c) ) { const res = new Response('Forbidden', {