@@ -194,6 +194,44 @@ describe('workflow execute async route', () => {
194194 )
195195 } )
196196
197+ it ( 'rejects cross-site session requests before authorization work' , async ( ) => {
198+ const req = createMockRequest (
199+ 'POST' ,
200+ { input : { hello : 'world' } } ,
201+ {
202+ 'Content-Type' : 'application/json' ,
203+ 'Sec-Fetch-Site' : 'cross-site' ,
204+ }
205+ )
206+ const params = Promise . resolve ( { id : 'workflow-1' } )
207+
208+ const response = await POST ( req , { params } )
209+ const body = await response . json ( )
210+
211+ expect ( response . status ) . toBe ( 403 )
212+ expect ( body . error ) . toBe ( 'Access denied' )
213+ expect ( mockAuthorizeWorkflowByWorkspacePermission ) . not . toHaveBeenCalled ( )
214+ expect ( mockEnqueue ) . not . toHaveBeenCalled ( )
215+ } )
216+
217+ it ( 'allows same-site session requests (multi-subdomain Run, e.g. www.<domain>)' , async ( ) => {
218+ const req = createMockRequest (
219+ 'POST' ,
220+ { input : { hello : 'world' } } ,
221+ {
222+ 'Content-Type' : 'application/json' ,
223+ 'X-Execution-Mode' : 'async' ,
224+ 'Sec-Fetch-Site' : 'same-site' ,
225+ }
226+ )
227+ const params = Promise . resolve ( { id : 'workflow-1' } )
228+
229+ const response = await POST ( req , { params } )
230+
231+ expect ( response . status ) . toBe ( 202 )
232+ expect ( mockEnqueue ) . toHaveBeenCalled ( )
233+ } )
234+
197235 it ( 'rejects oversized request bodies before authorization work' , async ( ) => {
198236 const req = createMockRequest (
199237 'POST' ,
0 commit comments