Innovenergy_trunk/frontend/node_modules/testcafe-hammerhead/lib/request-pipeline/same-origin-policy.js

47 lines
2.1 KiB
JavaScript

"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.shouldOmitCredentials = exports.check = void 0;
const builtin_header_names_1 = __importDefault(require("./builtin-header-names"));
const lodash_1 = require("lodash");
const url_1 = require("../utils/url");
// NOTE: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
function check(ctx) {
const reqOrigin = ctx.dest.reqOrigin;
// PASSED: Same origin.
if (ctx.dest.domain === reqOrigin)
return true;
const withCredentials = ctx.dest.credentials === url_1.Credentials.include;
const allowOriginHeader = ctx.destRes.headers[builtin_header_names_1.default.accessControlAllowOrigin];
const allowCredentialsHeader = ctx.destRes.headers[builtin_header_names_1.default.accessControlAllowCredentials];
const allowCredentials = String(allowCredentialsHeader).toLowerCase() === 'true';
const allowedOrigins = (0, lodash_1.castArray)(allowOriginHeader);
const wildcardAllowed = allowedOrigins.includes('*');
// FAILED: Destination server doesn't provide the Access-Control-Allow-Origin header.
// So cross-domain requests are denied
if (!allowOriginHeader)
return false;
// FAILED: Credentialed requests are not allowed or wild carding was used
// for the allowed origin (credentialed requests should specify the exact domain).
if (withCredentials && (!allowCredentials || wildcardAllowed))
return false;
// FINAL CHECK: The request origin should match one of the allowed origins.
return wildcardAllowed || allowedOrigins.includes(reqOrigin);
}
exports.check = check;
function shouldOmitCredentials(ctx) {
switch (ctx.dest.credentials) {
case url_1.Credentials.omit:
return true;
case url_1.Credentials.sameOrigin:
return ctx.dest.reqOrigin !== ctx.dest.domain;
case url_1.Credentials.include:
return false;
default:
return false;
}
}
exports.shouldOmitCredentials = shouldOmitCredentials;