Home Explore Help
Sign In
ShariX
/
converse-built
3
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: unstable
Branches Tags
converse-built
/
node_modules
/
corser
/
lib
/
corser.js

corser.js 12 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228 
  1. /**
    2. 

  2.  * Specification: http://www.w3.org/TR/2012/WD-cors-20120403/
    3. 

  3.  * W3C Working Draft 3 April 2012
    4. 

  4.  */
    5. 

  5. "use strict";
    6. 

  6. 

  7. /*jshint node:true */
    8. 

  8. 

  9. var simpleMethods, simpleRequestHeaders, simpleResponseHeaders, toLowerCase, checkOriginMatch;
    10. 

  10. 

  11. // A method is said to be a simple method if it is a case-sensitive match for one of the following:
    12. 

  12. Object.defineProperty(exports, "simpleMethods", {
    13. 

  13.     get: function () {
    14. 

  14.         return [
    15. 

  15.             "GET",
    16. 

  16.             "HEAD",
    17. 

  17.             "POST"
    18. 

  18.         ];
    19. 

  19.     }
    20. 

  20. });
    21. 

  21. simpleMethods = exports.simpleMethods;
    22. 

  22. 

  23. // A header is said to be a simple header if the header field name is an ASCII case-insensitive match for one of
    24. 

  24. // the following:
    25. 

  25. Object.defineProperty(exports, "simpleRequestHeaders", {
    26. 

  26.     get: function () {
    27. 

  27.         return [
    28. 

  28.             "accept",
    29. 

  29.             "accept-language",
    30. 

  30.             "content-language",
    31. 

  31.             "content-type"
    32. 

  32.         ];
    33. 

  33.     }
    34. 

  34. });
    35. 

  35. simpleRequestHeaders = exports.simpleRequestHeaders;
    36. 

  36. 

  37. // A header is said to be a simple response header if the header field name is an ASCII case-insensitive
    38. 

  38. // match for one of the following:
    39. 

  39. Object.defineProperty(exports, "simpleResponseHeaders", {
    40. 

  40.     get: function () {
    41. 

  41.         return [
    42. 

  42.             "cache-control",
    43. 

  43.             "content-language",
    44. 

  44.             "content-type",
    45. 

  45.             "expires",
    46. 

  46.             "last-modified",
    47. 

  47.             "pragma"
    48. 

  48.         ];
    49. 

  49.     }
    50. 

  50. });
    51. 

  51. simpleResponseHeaders = exports.simpleResponseHeaders;
    52. 

  52. 

  53. toLowerCase = function (array) {
    54. 

  54.     return array.map(function (el) {
    55. 

  55.         return el.toLowerCase();
    56. 

  56.     });
    57. 

  57. };
    58. 

  58. 

  59. checkOriginMatch = function (originHeader, origins, callback) {
    60. 

  60.     if (typeof origins === "function") {
    61. 

  61.         origins(originHeader, function (err, allow) {
    62. 

  62.             callback(err, allow);
    63. 

  63.         });
    64. 

  64.     } else if (origins.length > 0) {
    65. 

  65.         callback(null, origins.some(function (origin) {
    66. 

  66.             return origin === originHeader;
    67. 

  67.         }));
    68. 

  68.     } else {
    69. 

  69.         // Always matching is acceptable since the list of origins can be unbounded.
    70. 

  70.         callback(null, true);
    71. 

  71.     }
    72. 

  72. };
    73. 

  73. 

  74. exports.create = function (options) {
    75. 

  75.     options = options || {};
    76. 

  76.     options.origins = options.origins || [];
    77. 

  77.     options.methods = options.methods || simpleMethods;
    78. 

  78.     if (options.hasOwnProperty("requestHeaders") === true) {
    79. 

  79.         options.requestHeaders = toLowerCase(options.requestHeaders);
    80. 

  80.     } else {
    81. 

  81.         options.requestHeaders = simpleRequestHeaders;
    82. 

  82.     }
    83. 

  83.     if (options.hasOwnProperty("responseHeaders") === true) {
    84. 

  84.         options.responseHeaders = toLowerCase(options.responseHeaders);
    85. 

  85.     } else {
    86. 

  86.         options.responseHeaders = simpleResponseHeaders;
    87. 

  87.     }
    88. 

  88.     options.maxAge = options.maxAge || null;
    89. 

  89.     options.supportsCredentials = options.supportsCredentials || false;
    90. 

  90.     if (options.hasOwnProperty("endPreflightRequests") === false) {
    91. 

  91.         options.endPreflightRequests = true;
    92. 

  92.     }
    93. 

  93.     return function (req, res, next) {
    94. 

  94.         var methodMatches, headersMatch, requestMethod, requestHeaders, exposedHeaders, endPreflight;
    95. 

  95.         // If the Origin header is not present terminate this set of steps.
    96. 

  96.         if (!req.headers.hasOwnProperty("origin")) {
    97. 

  97.             // The request is outside the scope of the CORS specification. If there is no Origin header,
    98. 

  98.             // it could be a same-origin request. Let's let the user-agent handle this situation.
    99. 

  99.             next();
    100. 

  100.         } else {
    101. 

  101.             // If the value of the Origin header is not a case-sensitive match for any of the values in
    102. 

  102.             // list of origins, do not set any additional headers and terminate this set of steps.
    103. 

  103.             checkOriginMatch(req.headers.origin, options.origins, function (err, originMatches) {
    104. 

  104.                 if (err !== null) {
    105. 

  105.                     next(err);
    106. 

  106.                 } else {
    107. 

  107.                     if (typeof originMatches !== "boolean" || originMatches === false) {
    108. 

  108.                         next();
    109. 

  109.                     } else {
    110. 

  110.                         // Respond to preflight request.
    111. 

  111.                         if (req.method === "OPTIONS") {
    112. 

  112.                             endPreflight = function () {
    113. 

  113.                                 if (options.endPreflightRequests === true) {
    114. 

  114.                                     res.writeHead(204);
    115. 

  115.                                     res.end();
    116. 

  116.                                 } else {
    117. 

  117.                                     next();
    118. 

  118.                                 }
    119. 

  119.                             };
    120. 

  120.                             // If there is no Access-Control-Request-Method header or if parsing failed, do not set
    121. 

  121.                             // any additional headers and terminate this set of steps.
    122. 

  122.                             if (!req.headers.hasOwnProperty("access-control-request-method")) {
    123. 

  123.                                 endPreflight();
    124. 

  124.                             } else {
    125. 

  125.                                 requestMethod = req.headers["access-control-request-method"];
    126. 

  126.                                 // If there are no Access-Control-Request-Headers headers let header field-names be the
    127. 

  127.                                 // empty list. If parsing failed do not set any additional headers and terminate this set
    128. 

  128.                                 // of steps.
    129. 

  129.                                 // Checking for an empty header is a workaround for a bug Chrome 52:
    130. 

  130.                                 // https://bugs.chromium.org/p/chromium/issues/detail?id=633729
    131. 

  131.                                 if (req.headers.hasOwnProperty("access-control-request-headers") && req.headers["access-control-request-headers"] !== "") {
    132. 

  132.                                     requestHeaders = toLowerCase(req.headers["access-control-request-headers"].split(/,\s*/));
    133. 

  133.                                 } else {
    134. 

  134.                                     requestHeaders = [];
    135. 

  135.                                 }
    136. 

  136.                                 // If method is not a case-sensitive match for any of the values in list of methods do not
    137. 

  137.                                 // set any additional headers and terminate this set of steps.
    138. 

  138.                                 methodMatches = options.methods.indexOf(requestMethod) !== -1;
    139. 

  139.                                 if (methodMatches === false) {
    140. 

  140.                                     endPreflight();
    141. 

  141.                                 } else {
    142. 

  142.                                     // If any of the header field-names is not a ASCII case-insensitive match for any of
    143. 

  143.                                     // the values in list of headers do not set any additional headers and terminate this
    144. 

  144.                                     // set of steps.
    145. 

  145.                                     headersMatch = requestHeaders.every(function (requestHeader) {
    146. 

  146.                                         // Browsers automatically add Origin to Access-Control-Request-Headers. However,
    147. 

  147.                                         // Origin is not one of the simple request headers. Therefore, the header is
    148. 

  148.                                         // accepted even if it is not in the list of request headers because CORS would
    149. 

  149.                                         // not work without it.
    150. 

  150.                                         if (requestHeader === "origin") {
    151. 

  151.                                             return true;
    152. 

  152.                                         } else {
    153. 

  153.                                             if (options.requestHeaders.indexOf(requestHeader) !== -1) {
    154. 

  154.                                                 return true;
    155. 

  155.                                             } else {
    156. 

  156.                                                 return false;
    157. 

  157.                                             }
    158. 

  158.                                         }
    159. 

  159.                                     });
    160. 

  160.                                     if (headersMatch === false) {
    161. 

  161.                                         endPreflight();
    162. 

  162.                                     } else {
    163. 

  163.                                         if (options.supportsCredentials === true) {
    164. 

  164.                                             // If the resource supports credentials add a single Access-Control-Allow-Origin
    165. 

  165.                                             // header, with the value of the Origin header as value, and add a single
    166. 

  166.                                             // Access-Control-Allow-Credentials header with the literal string "true"
    167. 

  167.                                             // as value.
    168. 

  168.                                             res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
    169. 

  169.                                             res.setHeader("Access-Control-Allow-Credentials", "true");
    170. 

  170.                                         } else {
    171. 

  171.                                             // Otherwise, add a single Access-Control-Allow-Origin header, with either the
    172. 

  172.                                             // value of the Origin header or the string "*" as value.
    173. 

  173.                                             if (options.origins.length > 0 || typeof options.origins === "function") {
    174. 

  174.                                                 res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
    175. 

  175.                                             } else {
    176. 

  176.                                                 res.setHeader("Access-Control-Allow-Origin", "*");
    177. 

  177.                                             }
    178. 

  178.                                         }
    179. 

  179.                                         // Optionally add a single Access-Control-Max-Age header with as value the amount
    180. 

  180.                                         // of seconds the user agent is allowed to cache the result of the request.
    181. 

  181.                                         if (options.maxAge !== null) {
    182. 

  182.                                             res.setHeader("Access-Control-Max-Age", options.maxAge);
    183. 

  183.                                         }
    184. 

  184.                                         // Add one or more Access-Control-Allow-Methods headers consisting of (a subset
    185. 

  185.                                         // of) the list of methods.
    186. 

  186.                                         res.setHeader("Access-Control-Allow-Methods", options.methods.join(","));
    187. 

  187.                                         // Add one or more Access-Control-Allow-Headers headers consisting of (a subset
    188. 

  188.                                         // of) the list of headers.
    189. 

  189.                                         res.setHeader("Access-Control-Allow-Headers", options.requestHeaders.join(","));
    190. 

  190.                                         // And out.
    191. 

  191.                                         endPreflight();
    192. 

  192.                                     }
    193. 

  193.                                 }
    194. 

  194.                             }
    195. 

  195.                         } else {
    196. 

  196.                             if (options.supportsCredentials === true) {
    197. 

  197.                                 // If the resource supports credentials add a single Access-Control-Allow-Origin header,
    198. 

  198.                                 // with the value of the Origin header as value, and add a single
    199. 

  199.                                 // Access-Control-Allow-Credentials header with the literal string "true" as value.
    200. 

  200.                                 res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
    201. 

  201.                                 res.setHeader("Access-Control-Allow-Credentials", "true");
    202. 

  202.                             } else {
    203. 

  203.                                 // Otherwise, add a single Access-Control-Allow-Origin header, with either the value of
    204. 

  204.                                 // the Origin header or the literal string "*" as value.
    205. 

  205.                                 // If the list of origins is empty, use "*" as value.
    206. 

  206.                                 if (options.origins.length > 0 || typeof options.origins === "function") {
    207. 

  207.                                     res.setHeader("Access-Control-Allow-Origin", req.headers.origin);
    208. 

  208.                                 } else {
    209. 

  209.                                     res.setHeader("Access-Control-Allow-Origin", "*");
    210. 

  210.                                 }
    211. 

  211.                             }
    212. 

  212.                             // If the list of exposed headers is not empty add one or more Access-Control-Expose-Headers
    213. 

  213.                             // headers, with as values the header field names given in the list of exposed headers.
    214. 

  214.                             exposedHeaders = options.responseHeaders.filter(function (optionsResponseHeader) {
    215. 

  215.                                 return simpleResponseHeaders.indexOf(optionsResponseHeader) === -1;
    216. 

  216.                             });
    217. 

  217.                             if (exposedHeaders.length > 0) {
    218. 

  218.                                 res.setHeader("Access-Control-Expose-Headers", exposedHeaders.join(","));
    219. 

  219.                             }
    220. 

  220.                             // And out.
    221. 

  221.                             next();
    222. 

  222.                         }
    223. 

  223.                     }
    224. 

  224.                 }
    225. 

  225.             });
    226. 

  226.         }
    227. 

  227.     };
    228. 

  228. };
    229.