Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

isURLSameOrigin fails with URL objects due to protocol mismatch #6469

Open
tstr-st opened this issue Jun 26, 2024 · 0 comments
Open

isURLSameOrigin fails with URL objects due to protocol mismatch #6469

tstr-st opened this issue Jun 26, 2024 · 0 comments

Comments

@tstr-st
Copy link

tstr-st commented Jun 26, 2024
edited
Loading

Describe the issue

When using isURLSameOrigin with native Javascript URL objects, the protocols mismatch as the resolveURL function strips the ":"-character, while the URL-object's protocol attribute does contain it.

isURLSameOrigin thus returns false if used with URL objects, even if the origins match. This now leads to issues when setting withCredentials = true and withXSRFToken = false as the XSRF token will not be submitted when using URL objects.

Example Code

// locally recreated function that mimics the relevant behavior in isURLSameOrigin
const resolveURL = function (url) {
  let href = url;
  const urlParsingNode = document.createElement('a');

  urlParsingNode.setAttribute('href', href);

  return {
    href: urlParsingNode.href,
    protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '',
    host: urlParsingNode.host,
    search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '',
    hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '',
    hostname: urlParsingNode.hostname,
    port: urlParsingNode.port,
    pathname: (urlParsingNode.pathname.charAt(0) === '/') ?
      urlParsingNode.pathname :
      '/' + urlParsingNode.pathname
  };
};

let originURL = resolveURL("http://www.example.com");
let requestURL = new URL("http://www.example.com");
console.log(originURL.protocol);  // > http
console.log(requestURL.protocol); // > http:

Expected behavior

I do not know if this is to be disregarded as no compatibility with URL objects is explicitly proclaimed in the axios docs. My personal workaround for now is to not pass URL objects directly into axios and use strings only.

A comment in resolveURL however does read "urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils".
According to that spec it seems to me that the ":"-character should be included (if I am reading this correctly):
"The protocol getter steps are to return this’s URL’s scheme, followed by U+003A (:)."

Axios Version

1.7.2 / 1.x

Adapter Version

No response

Browser

No response

Browser Version

No response

Node.js Version

No response

OS

No response

Additional Library Versions

No response

Additional context/Screenshots

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tstr-st