SEBWIN-441: Ensured custom headers are only appended to same-domain requests.

SafeExamBrowser.Browser/Handlers/ResourceHandler.cs

@@ -80,7 +80,7 @@ namespace SafeExamBrowser.Browser.Handlers
 				return CefReturnValue.Cancel;
 			}
 
-			AppendCustomHeaders(request);
+			AppendCustomHeaders(webBrowser, request);
 			ReplaceSebScheme(request);
 
 			return base.OnBeforeResourceLoad(webBrowser, browser, frame, request, callback);
@@ -112,11 +112,16 @@ namespace SafeExamBrowser.Browser.Handlers
 			return base.OnResourceResponse(webBrowser, browser, frame, request, response);
 		}
 
-		private void AppendCustomHeaders(IRequest request)
+		private void AppendCustomHeaders(IWebBrowser webBrowser, IRequest request)
 		{
 			var headers = new NameValueCollection(request.Headers);
 			var urlWithoutFragment = request.Url.Split('#')[0];
 
+			Uri.TryCreate(webBrowser.Address, UriKind.Absolute, out var pageUrl);
+			Uri.TryCreate(request.Url, UriKind.Absolute, out var requestUrl);
+
+			if (pageUrl?.Host?.Equals(requestUrl?.Host) == true)
+			{
 				if (settings.SendConfigurationKey)
 				{
 					var hash = algorithm.ComputeHash(Encoding.UTF8.GetBytes(urlWithoutFragment + settings.ConfigurationKey));
@@ -135,6 +140,7 @@ namespace SafeExamBrowser.Browser.Handlers
 
 				request.Headers = headers;
 			}
+		}
 
 		private bool Block(IRequest request)
 		{