mirror of
https://github.com/gristlabs/grist-core.git
synced 2024-10-27 20:44:07 +00:00
Return 403 error when origin is not trusted (#310)
This commit is contained in:
parent
396153b1eb
commit
5f66a8f298
@ -1,3 +1,4 @@
|
|||||||
|
import {ApiError} from 'app/common/ApiError';
|
||||||
import {delay} from 'app/common/delay';
|
import {delay} from 'app/common/delay';
|
||||||
import {DocCreationInfo} from 'app/common/DocListAPI';
|
import {DocCreationInfo} from 'app/common/DocListAPI';
|
||||||
import {encodeUrl, getSlugIfNeeded, GristLoadConfig, IGristUrlState, isOrgInPathOnly,
|
import {encodeUrl, getSlugIfNeeded, GristLoadConfig, IGristUrlState, isOrgInPathOnly,
|
||||||
@ -1753,7 +1754,7 @@ function trustOriginHandler(req: express.Request, res: express.Response, next: e
|
|||||||
res.header("Access-Control-Allow-Methods", "GET, PATCH, PUT, POST, DELETE, OPTIONS");
|
res.header("Access-Control-Allow-Methods", "GET, PATCH, PUT, POST, DELETE, OPTIONS");
|
||||||
res.header("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With");
|
res.header("Access-Control-Allow-Headers", "Authorization, Content-Type, X-Requested-With");
|
||||||
} else {
|
} else {
|
||||||
throw new Error('Unrecognized origin');
|
throw new ApiError('Unrecognized origin', 403);
|
||||||
}
|
}
|
||||||
if ('OPTIONS' === req.method) {
|
if ('OPTIONS' === req.method) {
|
||||||
res.sendStatus(200);
|
res.sendStatus(200);
|
||||||
|
@ -2800,9 +2800,9 @@ function testDocApi() {
|
|||||||
error && assert.deepEqual(resp.data, {error});
|
error && assert.deepEqual(resp.data, {error});
|
||||||
assert.equal(resp.status, status);
|
assert.equal(resp.status, status);
|
||||||
}
|
}
|
||||||
await checkOrigin("https://www.toto.com", 500, "Unrecognized origin");
|
await checkOrigin("https://www.toto.com", 403, "Unrecognized origin");
|
||||||
await checkOrigin("https://badexample.com", 500, "Unrecognized origin");
|
await checkOrigin("https://badexample.com", 403, "Unrecognized origin");
|
||||||
await checkOrigin("https://bad.com/example.com/toto", 500, "Unrecognized origin");
|
await checkOrigin("https://bad.com/example.com/toto", 403, "Unrecognized origin");
|
||||||
await checkOrigin("https://example.com/path", 200);
|
await checkOrigin("https://example.com/path", 200);
|
||||||
await checkOrigin("https://good.example.com/toto", 200);
|
await checkOrigin("https://good.example.com/toto", 200);
|
||||||
});
|
});
|
||||||
|
Loading…
Reference in New Issue
Block a user