mirror of
https://github.com/tenrok/axios.git
synced 2026-06-14 18:42:33 +03:00
Adding xsrf protection
This commit is contained in:
Matt Zabriskie
+11
-1
@@ -1,8 +1,10 @@
|
||||
var Promise = require('es6-promise').Promise;
|
||||
var buildUrl = require('./buildUrl');
|
||||
var cookies = require('./cookies');
|
||||
var defaults = require('./defaults');
|
||||
var parseHeaders = require('./parseHeaders');
|
||||
var transformData = require('./transformData');
|
||||
var urlIsSameOrigin = require('./urlIsSameOrigin');
|
||||
var utils = require('./utils');
|
||||
|
||||
var axios = module.exports = function axios(options) {
|
||||
@@ -62,9 +64,17 @@ var axios = module.exports = function axios(options) {
|
||||
options.headers || {}
|
||||
);
|
||||
|
||||
// Add xsrf header
|
||||
var xsrfValue = urlIsSameOrigin(options.url)
|
||||
? cookies.read(options.xsrfCookieName || defaults.xsrfCookieName)
|
||||
: undefined;
|
||||
if (xsrfValue) {
|
||||
headers[options.xsrfHeaderName || defaults.xsrfHeaderName] = xsrfValue;
|
||||
}
|
||||
|
||||
utils.forEach(headers, function (val, key) {
|
||||
// Remove Content-Type if data is undefined
|
||||
if (typeof data === 'undefined' && key.toLowerCase() === 'content-type') {
|
||||
if (!data && key.toLowerCase() === 'content-type') {
|
||||
delete headers[key];
|
||||
}
|
||||
// Otherwise add header to the request
|
||||
|
||||
@@ -0,0 +1,37 @@
|
||||
'use strict';
|
||||
|
||||
var utils = require('./utils');
|
||||
|
||||
module.exports = {
|
||||
write: function write(name, value, expires, path, domain, secure) {
|
||||
var cookie = [];
|
||||
cookie.push(name + '=' + encodeURIComponent(value));
|
||||
|
||||
if (utils.isNumber(expires)) {
|
||||
cookie.push('expires=' + new Date(expires).toGMTString());
|
||||
}
|
||||
|
||||
if (utils.isString(path)) {
|
||||
cookie.push('path=' + path);
|
||||
}
|
||||
|
||||
if (utils.isString(domain)) {
|
||||
cookie.push('domain=' + domain);
|
||||
}
|
||||
|
||||
if (secure === true) {
|
||||
cookie.push('secure');
|
||||
}
|
||||
|
||||
document.cookie = cookie.join('; ');
|
||||
},
|
||||
|
||||
read: function read(name) {
|
||||
var match = document.cookie.match(new RegExp('(^|;\\s*)(' + name + ')=([^;]*)'));
|
||||
return (match ? decodeURIComponent(match[3]) : null);
|
||||
},
|
||||
|
||||
remove: function remove(name) {
|
||||
this.write(name, '', Date.now() - 86400000);
|
||||
}
|
||||
};
|
||||
@@ -0,0 +1,50 @@
|
||||
'use strict';
|
||||
|
||||
var msie = /(msie|trident)/i.test(navigator.userAgent);
|
||||
var utils = require('./utils');
|
||||
var urlParsingNode = document.createElement('a');
|
||||
var originUrl = urlResolve(window.location.href);
|
||||
|
||||
/**
|
||||
* Parse a URL to discover it's components
|
||||
*
|
||||
* @param {String} url The URL to be parsed
|
||||
* @returns {Object}
|
||||
*/
|
||||
function urlResolve(url) {
|
||||
var href = url;
|
||||
|
||||
if (msie) {
|
||||
// IE needs attribute set twice to normalize properties
|
||||
urlParsingNode.setAttribute('href', href);
|
||||
href = urlParsingNode.href;
|
||||
}
|
||||
|
||||
urlParsingNode.setAttribute('href', href);
|
||||
|
||||
// urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils
|
||||
return {
|
||||
href: urlParsingNode.href,
|
||||
protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '',
|
||||
host: urlParsingNode.host,
|
||||
search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '',
|
||||
hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '',
|
||||
hostname: urlParsingNode.hostname,
|
||||
port: urlParsingNode.port,
|
||||
pathname: (urlParsingNode.pathname.charAt(0) === '/')
|
||||
? urlParsingNode.pathname
|
||||
: '/' + urlParsingNode.pathname
|
||||
};
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if a URL shares the same origin as the current location
|
||||
*
|
||||
* @param {String} requestUrl The URL to test
|
||||
* @returns {boolean} True if URL shares the same origin, otherwise false
|
||||
*/
|
||||
module.exports = function urlIsSameOrigin(requestUrl) {
|
||||
var parsed = (utils.isString(requestUrl)) ? urlResolve(requestUrl) : requestUrl;
|
||||
return (parsed.protocol === originUrl.protocol &&
|
||||
parsed.host === originUrl.host);
|
||||
};
|
||||
+23
-1
@@ -12,6 +12,26 @@ function isArray(val) {
|
||||
return toString.call(val) === '[object Array]';
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if a value is a String
|
||||
*
|
||||
* @param {Object} val The value to test
|
||||
* @returns {boolean} True if value is a String, otherwise false
|
||||
*/
|
||||
function isString(val) {
|
||||
return typeof val === 'string';
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if a value is a Number
|
||||
*
|
||||
* @param {Object} val The value to test
|
||||
* @returns {boolean} True if value is a Number, otherwise false
|
||||
*/
|
||||
function isNumber(val) {
|
||||
return typeof val === 'number';
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if a value is an Object
|
||||
*
|
||||
@@ -49,7 +69,7 @@ function isFile(val) {
|
||||
* @returns {boolean} True if value is a Blob, otherwise false
|
||||
*/
|
||||
function isBlob(val) {
|
||||
return toString.call(val) !== '[object Blob]';
|
||||
return toString.call(val) === '[object Blob]';
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -133,6 +153,8 @@ function merge(obj1/*, obj2, obj3, ...*/) {
|
||||
|
||||
module.exports = {
|
||||
isArray: isArray,
|
||||
isString: isString,
|
||||
isNumber: isNumber,
|
||||
isObject: isObject,
|
||||
isDate: isDate,
|
||||
isFile: isFile,
|
||||
|
||||
Reference in New Issue
Block a user