47 lines
2.1 KiB
JavaScript
47 lines
2.1 KiB
JavaScript
"use strict";
|
|
var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
return (mod && mod.__esModule) ? mod : { "default": mod };
|
|
};
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.shouldOmitCredentials = exports.check = void 0;
|
|
const builtin_header_names_1 = __importDefault(require("./builtin-header-names"));
|
|
const lodash_1 = require("lodash");
|
|
const url_1 = require("../utils/url");
|
|
// NOTE: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
|
|
function check(ctx) {
|
|
const reqOrigin = ctx.dest.reqOrigin;
|
|
// PASSED: Same origin.
|
|
if (ctx.dest.domain === reqOrigin)
|
|
return true;
|
|
const withCredentials = ctx.dest.credentials === url_1.Credentials.include;
|
|
const allowOriginHeader = ctx.destRes.headers[builtin_header_names_1.default.accessControlAllowOrigin];
|
|
const allowCredentialsHeader = ctx.destRes.headers[builtin_header_names_1.default.accessControlAllowCredentials];
|
|
const allowCredentials = String(allowCredentialsHeader).toLowerCase() === 'true';
|
|
const allowedOrigins = (0, lodash_1.castArray)(allowOriginHeader);
|
|
const wildcardAllowed = allowedOrigins.includes('*');
|
|
// FAILED: Destination server doesn't provide the Access-Control-Allow-Origin header.
|
|
// So cross-domain requests are denied
|
|
if (!allowOriginHeader)
|
|
return false;
|
|
// FAILED: Credentialed requests are not allowed or wild carding was used
|
|
// for the allowed origin (credentialed requests should specify the exact domain).
|
|
if (withCredentials && (!allowCredentials || wildcardAllowed))
|
|
return false;
|
|
// FINAL CHECK: The request origin should match one of the allowed origins.
|
|
return wildcardAllowed || allowedOrigins.includes(reqOrigin);
|
|
}
|
|
exports.check = check;
|
|
function shouldOmitCredentials(ctx) {
|
|
switch (ctx.dest.credentials) {
|
|
case url_1.Credentials.omit:
|
|
return true;
|
|
case url_1.Credentials.sameOrigin:
|
|
return ctx.dest.reqOrigin !== ctx.dest.domain;
|
|
case url_1.Credentials.include:
|
|
return false;
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
exports.shouldOmitCredentials = shouldOmitCredentials;
|