Fix #17878: Detect CORS AJAX requests without X-Requested-With in Request::getIsAjax()

framework/CHANGELOG.md

@@ -4,6 +4,7 @@ Yii Framework 2 Change Log
 2.0.33 under development
 ------------------------
 
+- Bug #17878: Detect CORS AJAX requests without `X-Requested-With` in `Request::getIsAjax()` (dicrtarasov, samdark)
 - Enh #17929: Actions can now have bool typed params bound (alex-code)
 - Enh #17827: Add `StringValidator::$strict` that can be turned off to allow any scalars (adhayward, samdark)
 - Bug #16145: Fix `Html` helper `checkboxList()`, `radioList()`, `renderSelectOptions()`, `dropDownList()`, `listBox()` methods to work properly with traversable selection (samdark)

framework/web/Request.php

@@ -471,8 +471,8 @@ class Request extends \yii\base\Request
     /**
      * Returns whether this is an AJAX (XMLHttpRequest) request.
      *
-     * Note that jQuery doesn't set the header in case of cross domain
-     * requests: https://stackoverflow.com/questions/8163703/cross-domain-ajax-doesnt-send-x-requested-with-header
+     * Note that in case of cross domain requests, browser doesn't set the X-Requested-With header by default:
+     * https://stackoverflow.com/questions/8163703/cross-domain-ajax-doesnt-send-x-requested-with-header
      *
      * In case you are using `fetch()`, pass header manually:
      *
@@ -487,7 +487,13 @@ class Request extends \yii\base\Request
      */
     public function getIsAjax()
     {
-        return $this->headers->get('X-Requested-With') === 'XMLHttpRequest';
+        $origin = $this->headers->get('Origin');
+
+        return
+            ($this->headers->get('X-Requested-With') === 'XMLHttpRequest') ||
+            ($this->headers->get('Sec-Fetch-Mode') === 'cors') ||
+            ($this->headers->get('Sec-Fetch-Site') === 'cross-site') ||
+            ($origin !== null && $origin !== $this->getHostInfo());
     }
 
     /**