fix: handle unsupported protocols

This commit is contained in:
Mohamed Marrouchi 2024-12-02 16:21:36 +01:00
parent 5c21212a96
commit 2407ce86b9

View File

@ -294,8 +294,19 @@ export default abstract class BaseWebChannelHandler<
res: Response | SocketResponse,
) {
const settings = await this.getSettings<typeof WEB_CHANNEL_NAMESPACE>();
// If we have an origin header...
if (req.headers && req.headers.origin) {
// Check if we have an origin header...
if (!req.headers?.origin) {
this.logger.debug('Web Channel Handler : No origin ', req.headers);
throw new Error('CORS - No origin provided!');
}
const originUrl = new URL(req.headers.origin);
const allowedProtocols = new Set(['http:', 'https:']);
if (!allowedProtocols.has(originUrl.protocol)) {
throw new Error('CORS - Invalid origin!');
}
// Get the allowed origins
const origins: string[] = settings.allowed_domains.split(',');
const foundOrigin = origins
@ -317,7 +328,7 @@ export default abstract class BaseWebChannelHandler<
.some((origin: string) => {
// If we find a whitelisted origin, send the Access-Control-Allow-Origin header
// to greenlight the request.
return origin === req.headers.origin;
return origin === originUrl.origin;
});
if (!foundOrigin && !origins.includes('*')) {
@ -330,7 +341,7 @@ export default abstract class BaseWebChannelHandler<
);
throw new Error('CORS - Domain not allowed!');
} else {
res.set('Access-Control-Allow-Origin', req.headers.origin);
res.set('Access-Control-Allow-Origin', originUrl.origin);
}
// Determine whether or not to allow cookies to be passed cross-origin
res.set('Access-Control-Allow-Credentials', 'true');
@ -341,10 +352,6 @@ export default abstract class BaseWebChannelHandler<
res.set('Access-Control-Allow-Methods', 'GET, POST');
res.set('Access-Control-Allow-Headers', 'content-type');
}
return;
}
this.logger.debug('Web Channel Handler : No origin ', req.headers);
throw new Error('CORS - No origin provided!');
}
/**