egg-security icon indicating copy to clipboard operation
egg-security copied to clipboard
verified publisher icon eggjs

feat: use hostname checking csrf referer whitelist instead of host

Open hq5544 opened this issue 4 years ago • 0 comments

Checklist
  • [x] npm test passes
  • [ ] tests and/or benchmarks are included
  • [x] documentation is changed or added
  • [x] commit message follows commit guidelines
Affected core subsystem(s)

egg-security

Description of change

Use hostname checking csrf referer whitelist instead of host. In current version, www.alipay.net:8000 will not match refererWhiteList: [ 'alipay.net' ]. Maybe it is necessary to change host to hostname when checking a url whether in refererWhiteList.

hq5544 avatar Oct 25 '21 10:10 hq5544