"use strict"; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.shouldOmitCredentials = exports.check = void 0; const builtin_header_names_1 = __importDefault(require("./builtin-header-names")); const lodash_1 = require("lodash"); const url_1 = require("../utils/url"); // NOTE: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS function check(ctx) { const reqOrigin = ctx.dest.reqOrigin; // PASSED: Same origin. if (ctx.dest.domain === reqOrigin) return true; const withCredentials = ctx.dest.credentials === url_1.Credentials.include; const allowOriginHeader = ctx.destRes.headers[builtin_header_names_1.default.accessControlAllowOrigin]; const allowCredentialsHeader = ctx.destRes.headers[builtin_header_names_1.default.accessControlAllowCredentials]; const allowCredentials = String(allowCredentialsHeader).toLowerCase() === 'true'; const allowedOrigins = (0, lodash_1.castArray)(allowOriginHeader); const wildcardAllowed = allowedOrigins.includes('*'); // FAILED: Destination server doesn't provide the Access-Control-Allow-Origin header. // So cross-domain requests are denied if (!allowOriginHeader) return false; // FAILED: Credentialed requests are not allowed or wild carding was used // for the allowed origin (credentialed requests should specify the exact domain). if (withCredentials && (!allowCredentials || wildcardAllowed)) return false; // FINAL CHECK: The request origin should match one of the allowed origins. return wildcardAllowed || allowedOrigins.includes(reqOrigin); } exports.check = check; function shouldOmitCredentials(ctx) { switch (ctx.dest.credentials) { case url_1.Credentials.omit: return true; case url_1.Credentials.sameOrigin: return ctx.dest.reqOrigin !== ctx.dest.domain; case url_1.Credentials.include: return false; default: return false; } } exports.shouldOmitCredentials = shouldOmitCredentials;