Fix #17878: Detect CORS AJAX requests without X-Requested-With in Request::getIsAjax()

2025-11-03 05:48:11 +08:00 · 2020-03-24 21:01:52 +05:00
parent 4b6d3c0290
commit 7f88acb313
4 changed files with 29 additions and 4 deletions
--- a/framework/CHANGELOG.md
+++ b/framework/CHANGELOG.md
@ -4,6 +4,7 @@ Yii Framework 2 Change Log
 2.0.33 under development
 ------------------------

+- Bug #17878: Detect CORS AJAX requests without `X-Requested-With` in `Request::getIsAjax()` (dicrtarasov, samdark)
 - Enh #17929: Actions can now have bool typed params bound (alex-code)
 - Enh #17827: Add `StringValidator::$strict` that can be turned off to allow any scalars (adhayward, samdark)
 - Bug #16145: Fix `Html` helper `checkboxList()`, `radioList()`, `renderSelectOptions()`, `dropDownList()`, `listBox()` methods to work properly with traversable selection (samdark)
--- a/framework/web/Request.php
+++ b/framework/web/Request.php
@ -471,8 +471,8 @@ class Request extends \yii\base\Request
    /**
     * Returns whether this is an AJAX (XMLHttpRequest) request.
     *
-     * Note that jQuery doesn't set the header in case of cross domain
-     * requests: https://stackoverflow.com/questions/8163703/cross-domain-ajax-doesnt-send-x-requested-with-header
+     * Note that in case of cross domain requests, browser doesn't set the X-Requested-With header by default:
+     * https://stackoverflow.com/questions/8163703/cross-domain-ajax-doesnt-send-x-requested-with-header
     *
     * In case you are using `fetch()`, pass header manually:
     *
@ -487,7 +487,13 @@ class Request extends \yii\base\Request
     */
    public function getIsAjax()
    {
-        return $this->headers->get('X-Requested-With') === 'XMLHttpRequest';
+        $origin = $this->headers->get('Origin');
+
+        return
+            ($this->headers->get('X-Requested-With') === 'XMLHttpRequest') ||
+            ($this->headers->get('Sec-Fetch-Mode') === 'cors') ||
+            ($this->headers->get('Sec-Fetch-Site') === 'cross-site') ||
+            ($origin !== null && $origin !== $this->getHostInfo());
    }

    /**
--- a/tests/framework/ChangeLogTest.php
+++ b/tests/framework/ChangeLogTest.php
@ -18,7 +18,7 @@ class ChangeLogTest extends TestCase
    public function changeProvider()
    {

-        $lines = explode("\n", file_get_contents(__DIR__ . '/../../framework/CHANGELOG.md'));
+        $lines = preg_split("~\R~", file_get_contents(__DIR__ . '/../../framework/CHANGELOG.md'), PREG_SPLIT_NO_EMPTY);

        // Don't check last 1500 lines, they are old and often don't obey the standard.
        $lastIndex = count($lines) - 1500;
--- a/tests/framework/web/RequestTest.php
+++ b/tests/framework/web/RequestTest.php
@ -908,6 +908,24 @@ class RequestTest extends TestCase
                ],
                true,
            ],
+            [
+                [
+                    'HTTP_Sec-Fetch-Mode' => 'cors',
+                ],
+                true,
+            ],
+            [
+                [
+                    'HTTP_Sec-Fetch-Site' => 'cross-site',
+                ],
+                true,
+            ],
+            [
+                [
+                    'HTTP_Origin' => 'https://example.com/',
+                ],
+                true,
+            ],
        ];
    }