mirror of
https://github.com/honojs/hono.git
synced 2024-11-24 19:26:56 +01:00
Merge commit from fork
This commit is contained in:
parent
f9e6ea7382
commit
aa50e0ab77
@ -206,6 +206,15 @@ describe('CSRF by Middleware', () => {
|
||||
expect(res.status).toBe(403)
|
||||
expect(simplePostHandler).not.toHaveBeenCalled()
|
||||
})
|
||||
|
||||
it('should be 403 if the content-type is not set', async () => {
|
||||
const res = await app.request('/form', {
|
||||
method: 'POST',
|
||||
body: new Blob(['test'], {}),
|
||||
})
|
||||
expect(res.status).toBe(403)
|
||||
expect(simplePostHandler).not.toHaveBeenCalled()
|
||||
})
|
||||
})
|
||||
|
||||
describe('with origin option', () => {
|
||||
|
@ -76,7 +76,7 @@ export const csrf = (options?: CSRFOptions): MiddlewareHandler => {
|
||||
return async function csrf(c, next) {
|
||||
if (
|
||||
!isSafeMethodRe.test(c.req.method) &&
|
||||
isRequestedByFormElementRe.test(c.req.header('content-type') || '') &&
|
||||
isRequestedByFormElementRe.test(c.req.header('content-type') || 'text/plain') &&
|
||||
!isAllowedOrigin(c.req.header('origin'), c)
|
||||
) {
|
||||
const res = new Response('Forbidden', {
|
||||
|
Loading…
Reference in New Issue
Block a user