This library could be used for any AJAX request, however it was reported that some 3rd party endpoints reject the request if the CSRF token is included in the headers.
This change excludes the CSRF token from the headers by comparing the request URL and window.location.hostname.
If the URL is a relative path (ie doesn't begin with "http:"), include the token.
If the URL is not parseable with new URL(), then we'll continue on and include the token.
If the hostname of the URL and from window.location are equal, include the token.
If the hostname of the URL and from window.location are different, do not include the token.
I beleive this covers and maintains the existing expectations of the library so existing applications shouldn't be caught off gaurd as we are including the token more often than not.
This library could be used for any AJAX request, however it was reported that some 3rd party endpoints reject the request if the CSRF token is included in the headers.
This change excludes the CSRF token from the headers by comparing the request URL and
window.location.hostname
.new URL()
, then we'll continue on and include the token.window.location
are equal, include the token.window.location
are different, do not include the token.I beleive this covers and maintains the existing expectations of the library so existing applications shouldn't be caught off gaurd as we are including the token more often than not.
Closes #45