Fix domain checking for request (#40080)

Fedik · web-flow · commit 01f1a9f673cc · 2023-03-12T09:12:13.000-04:00
diff --git a/build/media_source/system/js/core.es6.js b/build/media_source/system/js/core.es6.js
@@ -623,8 +623,12 @@ window.Joomla.Modal = window.Joomla.Modal || {
         const token = Joomla.getOptions('csrf.token', '');
 
         // Use the CSRF only on the site's domain
-        // eslint-disable-next-line no-restricted-globals
-        if (token && (newOptions.url.startsWith('/') || newOptions.url.startsWith(location.origin))) {
+        if (
+          token && (
+            (!newOptions.url.startsWith('http:') && !newOptions.url.startsWith('https:'))
+            || newOptions.url.startsWith(window.location.origin)
+          )
+        ) {
           xhr.setRequestHeader('X-CSRF-Token', token);
         }
 
