Fixed CORS vary header modification

refs https://github.com/TryGhost/Toolbox/issues/461

- The 'vary' header with 'Origin' value should only be set when an OPTIONS header is processed. Otherwise we are prone to leaking the vary header modification to further down in the request pipeline
This commit is contained in:
Naz 2022-11-03 11:15:19 +08:00
parent 9b2e36e4fb
commit ac46c2f2e9
No known key found for this signature in database
3 changed files with 25 additions and 11 deletions

View File

@ -61,12 +61,15 @@ function corsOptionsDelegate(req, callback) {
* @param {Function} next
*/
const handleCaching = (req, res, next) => {
// @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
res.vary('Origin');
const method = req.method && req.method.toUpperCase && req.method.toUpperCase();
if (method === 'OPTIONS') {
// @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
res.vary('Origin');
}
next();
};
module.exports = [
cors(corsOptionsDelegate),
handleCaching
handleCaching,
cors(corsOptionsDelegate)
];

View File

@ -88,12 +88,15 @@ function corsOptionsDelegate(req, cb) {
* @param {Function} next
*/
const handleCaching = (req, res, next) => {
// @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
res.vary('Origin');
const method = req.method && req.method.toUpperCase && req.method.toUpperCase();
if (method === 'OPTIONS') {
// @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
res.vary('Origin');
}
next();
};
module.exports = [
cors(corsOptionsDelegate),
handleCaching
handleCaching,
cors(corsOptionsDelegate)
];

View File

@ -3,8 +3,8 @@ const sinon = require('sinon');
const rewire = require('rewire');
const configUtils = require('../../../../../utils/configUtils');
let cors = rewire('../../../../../../core/server/web/api/middleware/cors')[0];
let corsCaching = rewire('../../../../../../core/server/web/api/middleware/cors')[1];
let cors = rewire('../../../../../../core/server/web/api/middleware/cors')[1];
let corsCaching = rewire('../../../../../../core/server/web/api/middleware/cors')[0];
describe('cors', function () {
let res;
@ -37,7 +37,7 @@ describe('cors', function () {
afterEach(function () {
sinon.restore();
configUtils.restore();
cors = rewire('../../../../../../core/server/web/api/middleware/cors')[0];
cors = rewire('../../../../../../core/server/web/api/middleware/cors')[1];
});
it('should not be enabled without a request origin header', function (done) {
@ -142,4 +142,12 @@ describe('cors', function () {
done();
});
});
it('should NOT add origin value to the vary header when not an OPTIONS request', function (done) {
req.method = 'GET';
corsCaching(req, res, function () {
should.equal(res.vary.called, false);
done();
});
});
});