fix: webchannel cors check

This commit is contained in:
Mohamed Marrouchi 2024-12-01 08:22:47 +01:00
parent dbc651a314
commit f59cdf9ad5

View File

@ -298,11 +298,26 @@ export default abstract class BaseWebChannelHandler<
if (req.headers && req.headers.origin) { if (req.headers && req.headers.origin) {
// Get the allowed origins // Get the allowed origins
const origins: string[] = settings.allowed_domains.split(','); const origins: string[] = settings.allowed_domains.split(',');
const foundOrigin = origins.some((origin: string) => { const foundOrigin = origins
origin = origin.trim(); .map((origin) => {
try {
return new URL(origin.trim()).origin;
} catch (error) {
this.logger.error(
`Invalid URL in allowed domains: ${origin}`,
error,
);
return null;
}
})
.filter(
(normalizedOrigin): normalizedOrigin is string =>
normalizedOrigin !== null,
)
.some((origin: string) => {
// If we find a whitelisted origin, send the Access-Control-Allow-Origin header // If we find a whitelisted origin, send the Access-Control-Allow-Origin header
// to greenlight the request. // to greenlight the request.
return origin == req.headers.origin || origin == '*'; return origin === req.headers.origin || origin === '*';
}); });
if (!foundOrigin) { if (!foundOrigin) {