Skip to content
This repository has been archived by the owner on Feb 12, 2024. It is now read-only.

fix: reject requests when cors origin list is empty #3674

Merged

Conversation

achingbrain
Copy link
Member

@achingbrain achingbrain commented May 6, 2021

If CORS origin list is empty, Hapi throws an error as it considers
that to be invalid configuration.

We want to reject requests that send and origin or a referer when
no allowed origins have been configured, so when these headers are
sent, reject the request if no allowed origins are present in the
config.

If CORS origin list is empty, Hapi throws an error as it considers
that to be invalid configuration.

We want to reject requests that send and origin or a referrer when
no allowed origins have been configured, so when these headers are
sent, reject the request if no allowed origins are present in the
config.
packages/ipfs-http-server/src/index.js Outdated Show resolved Hide resolved
packages/ipfs-http-server/src/index.js Outdated Show resolved Hide resolved
Copy link
Member

@lidel lidel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not run this, but should do the trick of aligning with what we do in go-ipfs.
Small nits below.

packages/ipfs-http-server/src/index.js Outdated Show resolved Hide resolved
@@ -149,5 +163,53 @@ describe('cors', () => {

expect(res).to.have.property('statusCode', 404)
})

it('rejects requests when cors origin list is empty and origin is sent', async () => {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add a copy of this test but with origin = 'null', just to document expected behavior for that edge case?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done!

achingbrain and others added 2 commits May 7, 2021 10:46
Co-authored-by: Vasco Santos <vasco.santos@moxy.studio>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
@achingbrain achingbrain merged commit 0b2d98c into master May 7, 2021
@achingbrain achingbrain deleted the fix/reject-requests-when-cors-origin-list-is-empty branch May 7, 2021 11:00
achingbrain added a commit that referenced this pull request May 7, 2021
If CORS origin list is empty, Hapi throws an error as it considers
that to be invalid configuration.

We want to reject requests that send and origin or a referer when
no allowed origins have been configured, so when these headers are
sent, reject the request if no allowed origins are present in the
config.

Co-authored-by: Vasco Santos <vasco.santos@moxy.studio>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
achingbrain added a commit that referenced this pull request May 7, 2021
* fix: reject requests when cors origin list is empty (#3674)

If CORS origin list is empty, Hapi throws an error as it considers
that to be invalid configuration.

We want to reject requests that send and origin or a referer when
no allowed origins have been configured, so when these headers are
sent, reject the request if no allowed origins are present in the
config.

Co-authored-by: Vasco Santos <vasco.santos@moxy.studio>
Co-authored-by: Marcin Rataj <lidel@lidel.org>

* chore: ts-ignore until #3655 lands

Co-authored-by: Vasco Santos <vasco.santos@moxy.studio>
Co-authored-by: Marcin Rataj <lidel@lidel.org>
This was referenced Dec 6, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants