File tree 2 files changed +4
-4
lines changed
2 files changed +4
-4
lines changed Original file line number Diff line number Diff line change @@ -188,8 +188,8 @@ export default isXHRAdapterSupported && function (config) {
188188 // Specifically not if we're in a web worker, or react-native.
189189 if ( platform . isStandardBrowserEnv ) {
190190 // Add xsrf header
191- const xsrfValue = ( config . withCredentials || isURLSameOrigin ( fullPath ) )
192- && config . xsrfCookieName && cookies . read ( config . xsrfCookieName ) ;
191+ // regarding CVE-2023-45857 config.withCredentials condition was removed temporarily
192+ const xsrfValue = isURLSameOrigin ( fullPath ) && config . xsrfCookieName && cookies . read ( config . xsrfCookieName ) ;
193193
194194 if ( xsrfValue ) {
195195 requestHeaders . set ( config . xsrfHeaderName , xsrfValue ) ;
Original file line number Diff line number Diff line change @@ -67,15 +67,15 @@ describe('xsrf', function () {
6767 } ) ;
6868 } ) ;
6969
70- it ( 'should set xsrf header for cross origin when using withCredentials' , function ( done ) {
70+ it ( 'should not set xsrf header for cross origin when using withCredentials' , function ( done ) {
7171 document . cookie = axios . defaults . xsrfCookieName + '=12345' ;
7272
7373 axios ( 'http://example.com/' , {
7474 withCredentials : true
7575 } ) ;
7676
7777 getAjaxRequest ( ) . then ( function ( request ) {
78- expect ( request . requestHeaders [ axios . defaults . xsrfHeaderName ] ) . toEqual ( '12345' ) ;
78+ expect ( request . requestHeaders [ axios . defaults . xsrfHeaderName ] ) . toEqual ( undefined ) ;
7979 done ( ) ;
8080 } ) ;
8181 } ) ;
You can’t perform that action at this time.
0 commit comments