Skip to content

Fix: Validate request origin against configured string origin (Issue #365) #372

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
djunehor wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix: Validate request origin against configured string origin (Issue #365) #372

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions lib/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,10 +45,11 @@
value: '*'
}]);
} else if (isString(options.origin)) {
// fixed origin
// fixed origin - check if request origin matches
isAllowed = isOriginAllowed(requestOrigin, options.origin);
headers.push([{
key: 'Access-Control-Allow-Origin',
value: options.origin
value: isAllowed ? options.origin : false
}]);
headers.push([{
key: 'Vary',
Expand Down
73 changes: 67 additions & 6 deletions test/test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -310,6 +310,67 @@ var util = require('util')
cors()(req, res, next);
});

it('should not allow non-matching origin when origin is set to specific string', function (done) {
// arrange
var req, res, next, options;
options = {
origin: 'https://allowed.com' // Only allow this specific origin
};
// Request from different origin
req = fakeRequest('GET', {
'origin': 'https://notallowed.com'
});
res = fakeResponse();
next = function () {
// assert - should NOT set Access-Control-Allow-Origin header for non-matching origin
assert.equal(res.getHeader('Access-Control-Allow-Origin'), undefined)
done();
};

// act
cors(options)(req, res, next);
});

it('should allow matching origin when origin is set to specific string', function (done) {
// arrange
var req, res, next, options;
options = {
origin: 'https://allowed.com' // Only allow this specific origin
};
// Request from matching origin
req = fakeRequest('GET', {
'origin': 'https://allowed.com'
});
res = fakeResponse();
next = function () {
// assert - should set Access-Control-Allow-Origin header for matching origin
assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'https://allowed.com')
done();
};

// act
cors(options)(req, res, next);
});

it('should not set header when request has no origin and string origin configured', function (done) {
// arrange
var req, res, next, options;
options = {
origin: 'https://allowed.com'
};
// Request with no origin header (like a same-origin request)
req = fakeRequest('GET', {});
res = fakeResponse();
next = function () {
// assert - should not set Access-Control-Allow-Origin header when no origin in request
assert.equal(res.getHeader('Access-Control-Allow-Origin'), undefined)
done();
};

// act
cors(options)(req, res, next);
});

it('specifying true for origin reflects requesting origin', function (done) {
// arrange
var req, res, next, options;
Expand Down Expand Up @@ -638,14 +699,14 @@ var util = require('util')
var req, res, next, delegate;
delegate = function (req2, cb) {
cb(null, {
origin: 'delegate.com'
origin: 'http://example.com' // Must match request origin for security
});
};
req = fakeRequest('GET');
req = fakeRequest('GET'); // Defaults to origin: 'http://example.com'
res = fakeResponse();
next = function () {
// assert
assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'delegate.com')
assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com')
done();
};

Expand All @@ -655,17 +716,17 @@ var util = require('util')

it('handles options specified via callback for preflight', function (done) {
var cb = after(1, done)
var req = new FakeRequest('OPTIONS')
var req = new FakeRequest('OPTIONS') // Defaults to origin: 'http://example.com'
var res = new FakeResponse()
var delegate = function (req2, cb) {
cb(null, {
origin: 'delegate.com',
origin: 'http://example.com', // Must match request origin for security
maxAge: 1000
});
};

res.on('finish', function () {
assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'delegate.com')
assert.equal(res.getHeader('Access-Control-Allow-Origin'), 'http://example.com')
assert.equal(res.getHeader('Access-Control-Max-Age'), '1000')
cb()
})
Expand Down