41 lines
1.3 KiB
JavaScript
41 lines
1.3 KiB
JavaScript
import { BaseApp } from "../core/app/base.js";
|
|
function secFetchMiddleware(logger, allowedDomains) {
|
|
return function devSecFetch(req, res, next) {
|
|
const secFetchSite = req.headers["sec-fetch-site"];
|
|
const secFetchMode = req.headers["sec-fetch-mode"];
|
|
if (!secFetchSite) {
|
|
return next();
|
|
}
|
|
if (secFetchSite === "same-origin" || secFetchSite === "same-site" || secFetchSite === "none") {
|
|
return next();
|
|
}
|
|
if (secFetchMode === "navigate" || secFetchMode === "nested-navigate") {
|
|
return next();
|
|
}
|
|
if (secFetchMode === "websocket") {
|
|
return next();
|
|
}
|
|
const origin = req.headers["origin"];
|
|
if (typeof origin === "string") {
|
|
try {
|
|
const originUrl = new URL(origin);
|
|
const protocol = originUrl.protocol.slice(0, -1);
|
|
if (BaseApp.validateForwardedHost(originUrl.host, allowedDomains, protocol)) {
|
|
return next();
|
|
}
|
|
} catch {
|
|
}
|
|
}
|
|
logger.warn(
|
|
"router",
|
|
`Blocked cross-origin request to ${req.url} (Sec-Fetch-Site: ${secFetchSite}, Sec-Fetch-Mode: ${secFetchMode}). Cross-origin subresource requests are not allowed on the dev server for security reasons.`
|
|
);
|
|
res.statusCode = 403;
|
|
res.setHeader("Content-Type", "text/plain");
|
|
res.end("Cross-origin request blocked");
|
|
};
|
|
}
|
|
export {
|
|
secFetchMiddleware
|
|
};
|