You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The 'sanctum.stateful' configuration (by default SANCTUM_STATEFUL_DOMAINS in .env) specifies a list of hosts/domains. However, EnsureFrontendRequestsAreStateful::fromFrontend() uses HTTP referer with "http://" and "https://" removed to match against the list. This can yield incorrect result.
Steps To Reproduce:
False positive:
Set SANCTUM_STATEFUL_DOMAINS="example.com".
Access from "example.com.jp"; fromFrontend() accepts that.
False negative:
Set SANCTUM_STATEFUL_DOMAINS="*.example.com".
Access with HTTP referer "http://foobar.example.com/"; fromFrontend() rejects that (note ending '/' in referer).
The text was updated successfully, but these errors were encountered:
Description:
The 'sanctum.stateful' configuration (by default SANCTUM_STATEFUL_DOMAINS in .env) specifies a list of hosts/domains. However, EnsureFrontendRequestsAreStateful::fromFrontend() uses HTTP referer with "http://" and "https://" removed to match against the list. This can yield incorrect result.
Steps To Reproduce:
False positive:
False negative:
The text was updated successfully, but these errors were encountered: