mirrors/hono
mirrors/hono
0
0
Fork 0
mirror of https://github.com/honojs/hono.git synced 2024-11-28 17:22:54 +01:00
Code Issues Releases Activity

Merge commit from fork

Browse Source
This commit is contained in:
Yusuke Wada 2024-10-15 17:16:47 +09:00 committed by GitHub
parent f9e6ea7382
commit aa50e0ab77
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/middleware/csrf/index.test.ts
View File

@ -206,6 +206,15 @@ describe('CSRF by Middleware', () => {
expect(res.status).toBe(403) expect(res.status).toBe(403)
expect(simplePostHandler).not.toHaveBeenCalled() expect(simplePostHandler).not.toHaveBeenCalled()
}) })
it('should be 403 if the content-type is not set', async () => {
const res = await app.request('/form', {
method: 'POST',
body: new Blob(['test'], {}),
})
expect(res.status).toBe(403)
expect(simplePostHandler).not.toHaveBeenCalled()
})
}) })
describe('with origin option', () => { describe('with origin option', () => {

2
src/middleware/csrf/index.ts
View File

@ -76,7 +76,7 @@ export const csrf = (options?: CSRFOptions): MiddlewareHandler => {
return async function csrf(c, next) { return async function csrf(c, next) {
if ( if (
!isSafeMethodRe.test(c.req.method) && !isSafeMethodRe.test(c.req.method) &&
isRequestedByFormElementRe.test(c.req.header('content-type') || '') && isRequestedByFormElementRe.test(c.req.header('content-type') || 'text/plain') &&
!isAllowedOrigin(c.req.header('origin'), c) !isAllowedOrigin(c.req.header('origin'), c)
) { ) {
const res = new Response('Forbidden', { const res = new Response('Forbidden', {