security: remove cors
I traced this back to a commit from 2014! 781495e662
This commit is contained in:
Girish Ramakrishnan
@@ -1,54 +0,0 @@
|
||||
/* jshint node:true */
|
||||
|
||||
import url from 'node:url';
|
||||
|
||||
/*
|
||||
* CORS middleware
|
||||
*
|
||||
* options can contains a list of origins
|
||||
*/
|
||||
export default function cors(options) {
|
||||
options = options || { };
|
||||
const maxAge = options.maxAge || 60 * 60 * 25 * 5; // 5 days
|
||||
const origins = options.origins || [ '*' ];
|
||||
const allowCredentials = options.allowCredentials || false; // cookies
|
||||
|
||||
return function (req, res, next) {
|
||||
let requestOrigin = req.headers.origin;
|
||||
if (!requestOrigin) return next();
|
||||
|
||||
requestOrigin = url.parse(requestOrigin);
|
||||
if (!requestOrigin.host) return res.status(405).send('CORS not allowed from this domain');
|
||||
|
||||
const hostname = requestOrigin.host.split(':')[0]; // remove any port
|
||||
const originAllowed = origins.some(function (o) { return o === '*' || o === hostname; });
|
||||
if (!originAllowed) {
|
||||
return res.status(405).send('CORS not allowed from this domain');
|
||||
}
|
||||
|
||||
// respond back with req.headers.origin which might contain the scheme
|
||||
res.header('Access-Control-Allow-Origin', req.headers.origin);
|
||||
res.header('Access-Control-Allow-Credentials', allowCredentials);
|
||||
|
||||
// handle preflighted requests
|
||||
if (req.method === 'OPTIONS') {
|
||||
if (req.headers['access-control-request-method']) {
|
||||
res.header('Access-Control-Allow-Methods', 'GET, PUT, DELETE, POST, OPTIONS');
|
||||
}
|
||||
|
||||
if (req.headers['access-control-request-headers']) {
|
||||
res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
|
||||
}
|
||||
|
||||
res.header('Access-Control-Max-Age', maxAge);
|
||||
|
||||
return res.status(200).send();
|
||||
}
|
||||
|
||||
if (req.headers['access-control-request-headers']) {
|
||||
res.header('Access-Control-Allow-Headers', req.headers['access-control-request-headers']);
|
||||
}
|
||||
|
||||
next();
|
||||
};
|
||||
};
|
||||
@@ -1,5 +1,4 @@
|
||||
import cookieParser from 'cookie-parser';
|
||||
import cors from './cors.js';
|
||||
import json from './json.js';
|
||||
import lastMile from '@cloudron/connect-lastmile';
|
||||
import multipart from './multipart.js';
|
||||
@@ -7,7 +6,6 @@ import timeout from 'connect-timeout';
|
||||
|
||||
export default {
|
||||
cookieParser,
|
||||
cors,
|
||||
json,
|
||||
lastMile,
|
||||
multipart,
|
||||
|
||||
@@ -59,7 +59,6 @@ async function initializeExpressSync() {
|
||||
// the timeout middleware will respond with a 503. the request itself cannot be 'aborted' and will continue
|
||||
// search for req.clearTimeout in route handlers to see places where this timeout is reset
|
||||
.use(middleware.timeout(REQUEST_TIMEOUT, { respond: true }))
|
||||
.use(middleware.cors({ origins: [ '*' ], allowCredentials: false }))
|
||||
.use((req, res , next) => {
|
||||
// we store our route resources, like app,volumes,... in req.resources. Those are added in the load() routes
|
||||
req.resources = {};
|
||||
|
||||
Reference in New Issue
Block a user