mirror of
https://github.com/hexastack/hexabot
synced 2024-12-28 23:02:03 +00:00
fix: webchannel cors check
This commit is contained in:
parent
dbc651a314
commit
f59cdf9ad5
@ -298,11 +298,26 @@ export default abstract class BaseWebChannelHandler<
|
||||
if (req.headers && req.headers.origin) {
|
||||
// Get the allowed origins
|
||||
const origins: string[] = settings.allowed_domains.split(',');
|
||||
const foundOrigin = origins.some((origin: string) => {
|
||||
origin = origin.trim();
|
||||
const foundOrigin = origins
|
||||
.map((origin) => {
|
||||
try {
|
||||
return new URL(origin.trim()).origin;
|
||||
} catch (error) {
|
||||
this.logger.error(
|
||||
`Invalid URL in allowed domains: ${origin}`,
|
||||
error,
|
||||
);
|
||||
return null;
|
||||
}
|
||||
})
|
||||
.filter(
|
||||
(normalizedOrigin): normalizedOrigin is string =>
|
||||
normalizedOrigin !== null,
|
||||
)
|
||||
.some((origin: string) => {
|
||||
// If we find a whitelisted origin, send the Access-Control-Allow-Origin header
|
||||
// to greenlight the request.
|
||||
return origin == req.headers.origin || origin == '*';
|
||||
return origin === req.headers.origin || origin === '*';
|
||||
});
|
||||
|
||||
if (!foundOrigin) {
|
||||
|
Loading…
Reference in New Issue
Block a user