Merge commit from fork

honojs · Aug 22, 2024 · 41ce840 · 41ce840
1 parent b0af71f
commit 41ce840
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 1 deletion.
diff --git a/src/middleware/csrf/index.test.ts b/src/middleware/csrf/index.test.ts
@@ -194,6 +194,18 @@ describe('CSRF by Middleware', () => {
       expect(res.status).toBe(200)
       expect(await res.text()).toBe('hono')
     })
+
+    it('should be 403 for "Application/x-www-form-urlencoded" cross origin', async () => {
+      const res = await app.request('http://localhost/form', {
+        method: 'POST',
+        headers: Object.assign({
+          'content-type': 'Application/x-www-form-urlencoded',
+        }),
+        body: 'name=hono',
+      })
+      expect(res.status).toBe(403)
+      expect(simplePostHandler).not.toHaveBeenCalled()
+    })
   })
 
   describe('with origin option', () => {

diff --git a/src/middleware/csrf/index.ts b/src/middleware/csrf/index.ts
@@ -14,7 +14,7 @@ interface CSRFOptions {
 
 const isSafeMethodRe = /^(GET|HEAD)$/
 const isRequestedByFormElementRe =
-  /^\b(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)\b/
+  /^\b(application\/x-www-form-urlencoded|multipart\/form-data|text\/plain)\b/i
 
 /**
  * CSRF Protection Middleware for Hono.