CSRF header should not be sent to cross domain sites #1469

shelbert · shelbert · commit a9cea74b832e · 2022-01-26T12:15:15.000+01:00
diff --git a/springdoc-openapi-common/src/main/java/org/springdoc/ui/AbstractSwaggerIndexTransformer.java b/springdoc-openapi-common/src/main/java/org/springdoc/ui/AbstractSwaggerIndexTransformer.java
@@ -204,7 +204,10 @@ protected String addCSRF(String html) {
 		stringBuilder.append("const parts = value.split(`; ");
 		stringBuilder.append(swaggerUiConfig.getCsrf().getCookieName());
 		stringBuilder.append("=`);\n");
-		stringBuilder.append("if (parts.length === 2)\n");
+		stringBuilder.append("const currentURL = new URL(document.URL);\n");
+		stringBuilder.append("const requestURL = new URL(request.url, document.location.origin);\n");
+		stringBuilder.append("const isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
+		stringBuilder.append("if (isSameOrigin && parts.length === 2) ");
 		stringBuilder.append("request.headers['");
 		stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
 		stringBuilder.append("'] = parts.pop().split(';').shift();\n");
@@ -225,6 +228,10 @@ protected String addCSRFLocalStorage(String html) {
 		stringBuilder.append("requestInterceptor: (request) => {\n");
 		stringBuilder.append("const value = window.localStorage.getItem('");
 		stringBuilder.append(swaggerUiConfig.getCsrf().getLocalStorageKey() + "');\n");
+		stringBuilder.append("const currentURL = new URL(document.URL);\n");
+		stringBuilder.append("const requestURL = new URL(request.url, document.location.origin);\n");
+		stringBuilder.append("const isSameOrigin = (currentURL.protocol === requestURL.protocol && currentURL.host === requestURL.host);\n");
+		stringBuilder.append("if (isSameOrigin) ");
 		stringBuilder.append("request.headers['");
 		stringBuilder.append(swaggerUiConfig.getCsrf().getHeaderName());
 		stringBuilder.append("'] = value;\n");
