Merge commit from fork

honojs · Oct 15, 2024 · aa50e0a · aa50e0a
1 parent f9e6ea7
commit aa50e0a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/src/middleware/csrf/index.test.ts b/src/middleware/csrf/index.test.ts
@@ -206,6 +206,15 @@ describe('CSRF by Middleware', () => {
       expect(res.status).toBe(403)
       expect(simplePostHandler).not.toHaveBeenCalled()
     })
+
+    it('should be 403 if the content-type is not set', async () => {
+      const res = await app.request('/form', {
+        method: 'POST',
+        body: new Blob(['test'], {}),
+      })
+      expect(res.status).toBe(403)
+      expect(simplePostHandler).not.toHaveBeenCalled()
+    })
   })
 
   describe('with origin option', () => {

diff --git a/src/middleware/csrf/index.ts b/src/middleware/csrf/index.ts
@@ -76,7 +76,7 @@ export const csrf = (options?: CSRFOptions): MiddlewareHandler => {
   return async function csrf(c, next) {
     if (
       !isSafeMethodRe.test(c.req.method) &&
-      isRequestedByFormElementRe.test(c.req.header('content-type') || '') &&
+      isRequestedByFormElementRe.test(c.req.header('content-type') || 'text/plain') &&
       !isAllowedOrigin(c.req.header('origin'), c)
     ) {
       const res = new Response('Forbidden', {