mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
Proposal for not requiring changing trustOrigin
This commit is contained in:
parent
afa7aa2e6b
commit
1530953c3e
@ -196,13 +196,12 @@ export function hostMatchesUrl(host?: string, url?: string) {
|
|||||||
*
|
*
|
||||||
* @param {string?} host The host to check
|
* @param {string?} host The host to check
|
||||||
*/
|
*/
|
||||||
export function isOwnInternalUrlHost(host?: string) {
|
function isOwnInternalUrlHost(host?: string) {
|
||||||
if (process.env.APP_HOME_INTERNAL_URL) {
|
// Note: APP_HOME_INTERNAL_URL may also defined in doc worker as well as in Home worker
|
||||||
return hostMatchesUrl(host, process.env.APP_HOME_INTERNAL_URL);
|
if (process.env.APP_HOME_INTERNAL_URL && hostMatchesUrl(host, process.env.APP_HOME_INTERNAL_URL)) {
|
||||||
} else if (process.env.APP_DOC_INTERNAL_URL) {
|
return true;
|
||||||
return hostMatchesUrl(host, process.env.APP_DOC_INTERNAL_URL);
|
|
||||||
}
|
}
|
||||||
return false;
|
return Boolean(process.env.APP_DOC_INTERNAL_URL) && hostMatchesUrl(host, process.env.APP_DOC_INTERNAL_URL);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -685,6 +685,9 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} {
|
|||||||
const XRequestedWith = req.get('X-Requested-With');
|
const XRequestedWith = req.get('X-Requested-With');
|
||||||
const Origin = req.get('Origin'); // Pass along the original Origin since it may
|
const Origin = req.get('Origin'); // Pass along the original Origin since it may
|
||||||
// play a role in granular access control.
|
// play a role in granular access control.
|
||||||
|
const Host = req.get('Host'); // Also pass along the original Host, as we need it since
|
||||||
|
// the destination compares that with the Origin header.
|
||||||
|
|
||||||
const result: Record<string, string> = {
|
const result: Record<string, string> = {
|
||||||
...(Authorization ? { Authorization } : undefined),
|
...(Authorization ? { Authorization } : undefined),
|
||||||
...(Cookie ? { Cookie } : undefined),
|
...(Cookie ? { Cookie } : undefined),
|
||||||
@ -692,6 +695,7 @@ export function getTransitiveHeaders(req: Request): {[key: string]: string} {
|
|||||||
...(PermitHeader ? { Permit: PermitHeader } : undefined),
|
...(PermitHeader ? { Permit: PermitHeader } : undefined),
|
||||||
...(XRequestedWith ? { 'X-Requested-With': XRequestedWith } : undefined),
|
...(XRequestedWith ? { 'X-Requested-With': XRequestedWith } : undefined),
|
||||||
...(Origin ? { Origin } : undefined),
|
...(Origin ? { Origin } : undefined),
|
||||||
|
...(Host ? { Host } : undefined),
|
||||||
};
|
};
|
||||||
const extraHeader = process.env.GRIST_FORWARD_AUTH_HEADER;
|
const extraHeader = process.env.GRIST_FORWARD_AUTH_HEADER;
|
||||||
const extraHeaderValue = extraHeader && req.get(extraHeader);
|
const extraHeaderValue = extraHeader && req.get(extraHeader);
|
||||||
|
@ -1,7 +1,5 @@
|
|||||||
import {ApiError} from 'app/common/ApiError';
|
import {ApiError} from 'app/common/ApiError';
|
||||||
import {
|
import { DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, parseSubdomain, sanitizePathTail } from 'app/common/gristUrls';
|
||||||
DEFAULT_HOME_SUBDOMAIN, isOrgInPathOnly, isOwnInternalUrlHost, parseSubdomain, sanitizePathTail
|
|
||||||
} from 'app/common/gristUrls';
|
|
||||||
import * as gutil from 'app/common/gutil';
|
import * as gutil from 'app/common/gutil';
|
||||||
import {DocScope, QueryResult, Scope} from 'app/gen-server/lib/HomeDBManager';
|
import {DocScope, QueryResult, Scope} from 'app/gen-server/lib/HomeDBManager';
|
||||||
import {getUserId, RequestWithLogin} from 'app/server/lib/Authorizer';
|
import {getUserId, RequestWithLogin} from 'app/server/lib/Authorizer';
|
||||||
@ -90,8 +88,6 @@ export function trustOrigin(req: IncomingMessage, resp?: Response): boolean {
|
|||||||
const origin = req.headers.origin;
|
const origin = req.headers.origin;
|
||||||
if (!origin) { return true; } // Not a CORS request.
|
if (!origin) { return true; } // Not a CORS request.
|
||||||
|
|
||||||
if (isOwnInternalUrlHost(req.get('Host'))) { return true; }
|
|
||||||
|
|
||||||
if (!allowHost(req, new URL(origin))) { return false; }
|
if (!allowHost(req, new URL(origin))) { return false; }
|
||||||
|
|
||||||
if (resp) {
|
if (resp) {
|
||||||
|
Loading…
Reference in New Issue
Block a user