From ee92b3737c6e70bb130ce6e0ab054c54db07dc63 Mon Sep 17 00:00:00 2001
From: Ben Toews <mastahyeti@users.noreply.github.com>
Date: Wed, 10 Dec 2014 14:15:24 -0700
Subject: [PATCH] check the location/anchor protocol/host

---
 csrf.coffee           |  3 +--
 test/unit/csrf.coffee | 13 +++++++++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/csrf.coffee b/csrf.coffee
index 895c82e..78f5ee4 100644
--- a/csrf.coffee
+++ b/csrf.coffee
@@ -64,5 +64,4 @@ $(document).on 'submit:prepare', 'form', ->
 isSameOrigin = (url) ->
   a = document.createElement 'a'
   a.href = url
-  origin = a.href.split('/', 3).join "/"
-  location.href.indexOf(origin) is 0
+  "#{location.protocol}//#{location.host}" == "#{a.protocol}//#{a.host}"
diff --git a/test/unit/csrf.coffee b/test/unit/csrf.coffee
index 37f14a8..939147e 100644
--- a/test/unit/csrf.coffee
+++ b/test/unit/csrf.coffee
@@ -80,6 +80,19 @@ each frameworks, (framework) ->
 
     form.submit()
 
+  asyncTest "adds X-CSRF-Token to POST forms when URL contains basic auth credentials", ->
+    token = "2705a83a5a0659cce34583972637eda5"
+    @$("<meta content=authenticity_token name=csrf-param>").appendTo('body')
+    @$("<meta name=csrf-token content=#{token}>").appendTo('body')
+
+    form = @$("<form action='#{@window.location.protocol}//username:password@#{@window.location.host}/echo?iframe=1&callback=formSubmitted' method=POST></form>").appendTo('body')
+
+    window.formSubmitted = (data) ->
+      equal token, data.params['authenticity_token']
+      start()
+
+    form.submit()
+
   asyncTest "doesn't add X-CSRF-Token to GET forms", ->
     token = "2705a83a5a0659cce34583972637eda5"
     @$("<meta content=authenticity_token name=csrf-param>").appendTo('body')