Skip to content

fix: compare full origin (scheme+host+port) in is_same_site#1363

Merged
richard-to merged 2 commits intomainfrom
claude/fix-is-same-site-origin-4qG5h
Mar 15, 2026
Merged

fix: compare full origin (scheme+host+port) in is_same_site#1363
richard-to merged 2 commits intomainfrom
claude/fix-is-same-site-origin-4qG5h

Conversation

@richard-to
Copy link
Collaborator

@richard-to richard-to commented Mar 15, 2026

Previously is_same_site only compared hostnames, so requests from a different port on the same host (e.g. localhost:8080 vs localhost:32123) would incorrectly pass the CSRF check. Now all three components of the origin are compared.

https://claude.ai/code/session_01JXV99vPFFRVeX3cst7SLTw

claude and others added 2 commits March 15, 2026 22:00
@claude
fix: compare full origin (scheme+host+port) in is_same_site
a34e25d 
Previously is_same_site only compared hostnames, so requests from a
different port on the same host (e.g. localhost:8080 vs localhost:32123)
would incorrectly pass the CSRF check. Now all three components of the
origin are compared.

https://claude.ai/code/session_01JXV99vPFFRVeX3cst7SLTw
@richard-to
Lint fix
44ad37f
@richard-to richard-to merged commit 25e9775 into main Mar 15, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@richard-to @claude