You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using isURLSameOrigin with native Javascript URL objects, the protocols mismatch as the resolveURL function strips the ":"-character, while the URL-object's protocol attribute does contain it.
isURLSameOrigin thus returns false if used with URL objects, even if the origins match. This now leads to issues when setting withCredentials = true and withXSRFToken = false as the XSRF token will not be submitted when using URL objects.
Example Code
// locally recreated function that mimics the relevant behavior in isURLSameOriginconstresolveURL=function(url){lethref=url;consturlParsingNode=document.createElement('a');urlParsingNode.setAttribute('href',href);return{href: urlParsingNode.href,protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/,'') : '',host: urlParsingNode.host,search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/,'') : '',hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/,'') : '',hostname: urlParsingNode.hostname,port: urlParsingNode.port,pathname: (urlParsingNode.pathname.charAt(0)==='/') ?
urlParsingNode.pathname :
'/'+urlParsingNode.pathname};};letoriginURL=resolveURL("http://www.example.com");letrequestURL=newURL("http://www.example.com");console.log(originURL.protocol);// > httpconsole.log(requestURL.protocol);// > http:
Expected behavior
I do not know if this is to be disregarded as no compatibility with URL objects is explicitly proclaimed in the axios docs. My personal workaround for now is to not pass URL objects directly into axios and use strings only.
A comment in resolveURL however does read "urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils".
According to that spec it seems to me that the ":"-character should be included (if I am reading this correctly):
"The protocol getter steps are to return this’s URL’s scheme, followed by U+003A (:)."
Axios Version
1.7.2 / 1.x
Adapter Version
No response
Browser
No response
Browser Version
No response
Node.js Version
No response
OS
No response
Additional Library Versions
No response
Additional context/Screenshots
No response
The text was updated successfully, but these errors were encountered:
Describe the issue
When using
isURLSameOrigin
with native Javascript URL objects, the protocols mismatch as theresolveURL
function strips the ":"-character, while the URL-object's protocol attribute does contain it.isURLSameOrigin
thus returns false if used with URL objects, even if the origins match. This now leads to issues when settingwithCredentials = true
andwithXSRFToken = false
as the XSRF token will not be submitted when using URL objects.Example Code
Expected behavior
I do not know if this is to be disregarded as no compatibility with URL objects is explicitly proclaimed in the axios docs. My personal workaround for now is to not pass URL objects directly into axios and use strings only.
A comment in
resolveURL
however does read "urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils".According to that spec it seems to me that the ":"-character should be included (if I am reading this correctly):
"The protocol getter steps are to return this’s URL’s scheme, followed by U+003A (:)."
Axios Version
1.7.2 / 1.x
Adapter Version
No response
Browser
No response
Browser Version
No response
Node.js Version
No response
OS
No response
Additional Library Versions
No response
Additional context/Screenshots
No response
The text was updated successfully, but these errors were encountered: