fix: compare URLs without protocols with checkOrigin: lax-proto (#7865)

* Remove standard CSRF middleware for lax-proto

Previously, two CSRF middlewares were added for lax-proto requests: one
at the beginning and one at the end. This change replaces them with a
single middleware placed at the beginning. Non-lax-proto cases remain
unchanged.

* Fix CSRF check for lax-proto match origin and inputOrigin after removing
protocol when checkOrigin is lax-proto

* fix: replace http(s) only at the beginning

* Update .changeset/curvy-glasses-wash.md

Co-authored-by: Giorgio Boa <35845425+gioboa@users.noreply.github.com>

---------

Co-authored-by: Giorgio Boa <35845425+gioboa@users.noreply.github.com>

Author: asaharan

.changeset/curvy-glasses-wash.md

@@ -0,0 +1,5 @@
+---
+'@builder.io/qwik-city': patch
+---
+
+FIX: fix behaviour of checkOrigin: "lax-proto" in createQwikCity

packages/qwik-city/src/middleware/request-handler/resolve-request-handlers.ts

@@ -66,10 +66,10 @@ export const resolveRequestHandlers = (
       checkOrigin &&
       (method === 'POST' || method === 'PUT' || method === 'PATCH' || method === 'DELETE')
     ) {
-      requestHandlers.unshift(csrfCheckMiddleware);
-
       if (checkOrigin === 'lax-proto') {
-        requestHandlers.push(csrfLaxProtoCheckMiddleware);
+        requestHandlers.unshift(csrfLaxProtoCheckMiddleware);
+      } else {
+        requestHandlers.unshift(csrfCheckMiddleware);
       }
     }
     if (isPageRoute) {
@@ -450,8 +450,7 @@ function checkCSRF(requestEv: RequestEvent, laxProto?: 'lax-proto') {
     if (
       forbidden &&
       laxProto &&
-      origin.startsWith('https://') &&
-      inputOrigin?.slice(4) === origin.slice(5)
+      inputOrigin?.replace(/^http(s)?/g, '') === origin.replace(/^http(s)?/g, '')
     ) {
       forbidden = false;
     }