Fix CSRF check for lax-proto match origin and inputOrigin after removing

asaharan · asaharan · commit a24ef39a589c · 2025-09-01T21:41:47.000+05:30
protocol when checkOrigin is lax-proto
diff --git a/packages/qwik-city/src/middleware/request-handler/resolve-request-handlers.ts b/packages/qwik-city/src/middleware/request-handler/resolve-request-handlers.ts
@@ -450,8 +450,7 @@ function checkCSRF(requestEv: RequestEvent, laxProto?: 'lax-proto') {
     if (
       forbidden &&
       laxProto &&
-      origin.startsWith('https://') &&
-      inputOrigin?.slice(4) === origin.slice(5)
+      inputOrigin?.replace(/http(s)?/g, '') === origin.replace(/http(s)?/g, '')
     ) {
       forbidden = false;
     }
