chore: add casing check

Author: ematipico

packages/astro/src/core/app/index.ts

@@ -163,8 +163,9 @@ export class App {
 		return defineMiddleware((context, next) => {
 			const { request, url } = context;
 			const contentType = request.headers.get('content-type');
+			console.log(contentType);
 			if (contentType) {
-				if (this.#formContentTypes.includes(contentType)) {
+				if (this.#formContentTypes.includes(contentType.toLowerCase())) {
 					const forbidden =
 						(request.method === 'POST' ||
 							request.method === 'PUT' ||

packages/astro/test/csrf-protection.test.js

@@ -25,6 +25,14 @@ describe('CSRF origin check', () => {
 		response = await app.render(request);
 		assert.equal(response.status, 403);
 
+		// case where content-type has different casing
+		request = new Request('http://example.com/api/', {
+			headers: { origin: 'http://loreum.com', 'content-type': 'MULTIPART/FORM-DATA' },
+			method: 'POST',
+		});
+		response = await app.render(request);
+		assert.equal(response.status, 403);
+
 		request = new Request('http://example.com/api/', {
 			headers: { origin: 'http://loreum.com', 'content-type': 'application/x-www-form-urlencoded' },
 			method: 'POST',