From 6d34c584752243401486801f72bf38b1ee969ba9 Mon Sep 17 00:00:00 2001
From: Lucisu <46996317+Lucisu@users.noreply.github.com>
Date: Sat, 31 Aug 2024 13:18:50 -0300
Subject: [PATCH 1/2] Prevent CSRF token from being leaked to cross-origin
 requests

---
 resources/js/controllers/html_load_controller.js | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/resources/js/controllers/html_load_controller.js b/resources/js/controllers/html_load_controller.js
index 3a9392d9c6..f34dc93ca9 100644
--- a/resources/js/controllers/html_load_controller.js
+++ b/resources/js/controllers/html_load_controller.js
@@ -41,8 +41,21 @@ export default class extends ApplicationController {
         window.axios.defaults.headers.common['X-CSRF-TOKEN'] = token.content;
         window.axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
 
+        axios.interceptors.request.use(function (config) {
+            const url = new URL(config.url);
+
+            if (url.origin !== window.location.origin) {
+                delete config.headers['X-CSRF-TOKEN'];
+            }
+            return config;
+        });
+
         document.addEventListener("turbo:before-fetch-request", (event) => {
-            event.detail.fetchOptions.headers["X-CSRF-TOKEN"] = token.content;
+            const url = new URL(config.url);
+
+            if (url.origin !== window.location.origin) {
+                event.detail.fetchOptions.headers["X-CSRF-TOKEN"] = token.content;
+            }
         });
 
     }

From cf40a8759abf7dca95975c659d0a764632acd99f Mon Sep 17 00:00:00 2001
From: Lucisu <46996317+Lucisu@users.noreply.github.com>
Date: Sat, 31 Aug 2024 13:38:27 -0300
Subject: [PATCH 2/2] Update html_load_controller.js

---
 resources/js/controllers/html_load_controller.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/js/controllers/html_load_controller.js b/resources/js/controllers/html_load_controller.js
index f34dc93ca9..30061526a1 100644
--- a/resources/js/controllers/html_load_controller.js
+++ b/resources/js/controllers/html_load_controller.js
@@ -51,7 +51,7 @@ export default class extends ApplicationController {
         });
 
         document.addEventListener("turbo:before-fetch-request", (event) => {
-            const url = new URL(config.url);
+            const url = new URL(event.detail.url);
 
             if (url.origin !== window.location.origin) {
                 event.detail.fetchOptions.headers["X-CSRF-TOKEN"] = token.content;