import platform from "../platform/index.js"; import utils from "../utils.js"; import isURLSameOrigin from "./isURLSameOrigin.js"; import cookies from "./cookies.js"; import buildFullPath from "../core/buildFullPath.js"; import mergeConfig from "../core/mergeConfig.js"; import AxiosHeaders from "../core/AxiosHeaders.js"; import buildURL from "./buildURL.js"; export default (config) => { const newConfig = mergeConfig({}, config); let { data, withXSRFToken, xsrfHeaderName, xsrfCookieName, headers, auth } = newConfig; newConfig.headers = headers = AxiosHeaders.from(headers); newConfig.url = buildURL(buildFullPath(newConfig.baseURL, newConfig.url, newConfig.allowAbsoluteUrls), config.params, config.paramsSerializer); // HTTP basic authentication if (auth) { headers.set('Authorization', 'Basic ' + btoa((auth.username || '') + ':' + (auth.password ? unescape(encodeURIComponent(auth.password)) : '')) ); } if (utils.isFormData(data)) { if (platform.hasStandardBrowserEnv || platform.hasStandardBrowserWebWorkerEnv) { headers.setContentType(undefined); // browser handles it } else if (utils.isFunction(data.getHeaders)) { // Node.js FormData (like form-data package) const formHeaders = data.getHeaders(); // Only set safe headers to avoid overwriting security headers const allowedHeaders = ['content-type', 'content-length']; Object.entries(formHeaders).forEach(([key, val]) => { if (allowedHeaders.includes(key.toLowerCase())) { headers.set(key, val); } }); } } // Add xsrf header // This is only done if running in a standard browser environment. // Specifically not if we're in a web worker, or react-native. if (platform.hasStandardBrowserEnv) { withXSRFToken && utils.isFunction(withXSRFToken) && (withXSRFToken = withXSRFToken(newConfig)); if (withXSRFToken || (withXSRFToken !== false && isURLSameOrigin(newConfig.url))) { // Add xsrf header const xsrfValue = xsrfHeaderName && xsrfCookieName && cookies.read(xsrfCookieName); if (xsrfValue) { headers.set(xsrfHeaderName, xsrfValue); } } } return newConfig; }