mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-25 11:55:03 +03:00
Fixed CORS vary header modification
refs https://github.com/TryGhost/Toolbox/issues/461 - The 'vary' header with 'Origin' value should only be set when an OPTIONS header is processed. Otherwise we are prone to leaking the vary header modification to further down in the request pipeline
This commit is contained in:
parent
9b2e36e4fb
commit
ac46c2f2e9
@ -61,12 +61,15 @@ function corsOptionsDelegate(req, callback) {
|
||||
* @param {Function} next
|
||||
*/
|
||||
const handleCaching = (req, res, next) => {
|
||||
// @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
|
||||
res.vary('Origin');
|
||||
const method = req.method && req.method.toUpperCase && req.method.toUpperCase();
|
||||
if (method === 'OPTIONS') {
|
||||
// @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
|
||||
res.vary('Origin');
|
||||
}
|
||||
next();
|
||||
};
|
||||
|
||||
module.exports = [
|
||||
cors(corsOptionsDelegate),
|
||||
handleCaching
|
||||
handleCaching,
|
||||
cors(corsOptionsDelegate)
|
||||
];
|
||||
|
@ -88,12 +88,15 @@ function corsOptionsDelegate(req, cb) {
|
||||
* @param {Function} next
|
||||
*/
|
||||
const handleCaching = (req, res, next) => {
|
||||
// @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
|
||||
res.vary('Origin');
|
||||
const method = req.method && req.method.toUpperCase && req.method.toUpperCase();
|
||||
if (method === 'OPTIONS') {
|
||||
// @NOTE: try to add native support for dynamic 'vary' header value in 'cors' module
|
||||
res.vary('Origin');
|
||||
}
|
||||
next();
|
||||
};
|
||||
|
||||
module.exports = [
|
||||
cors(corsOptionsDelegate),
|
||||
handleCaching
|
||||
handleCaching,
|
||||
cors(corsOptionsDelegate)
|
||||
];
|
||||
|
@ -3,8 +3,8 @@ const sinon = require('sinon');
|
||||
const rewire = require('rewire');
|
||||
const configUtils = require('../../../../../utils/configUtils');
|
||||
|
||||
let cors = rewire('../../../../../../core/server/web/api/middleware/cors')[0];
|
||||
let corsCaching = rewire('../../../../../../core/server/web/api/middleware/cors')[1];
|
||||
let cors = rewire('../../../../../../core/server/web/api/middleware/cors')[1];
|
||||
let corsCaching = rewire('../../../../../../core/server/web/api/middleware/cors')[0];
|
||||
|
||||
describe('cors', function () {
|
||||
let res;
|
||||
@ -37,7 +37,7 @@ describe('cors', function () {
|
||||
afterEach(function () {
|
||||
sinon.restore();
|
||||
configUtils.restore();
|
||||
cors = rewire('../../../../../../core/server/web/api/middleware/cors')[0];
|
||||
cors = rewire('../../../../../../core/server/web/api/middleware/cors')[1];
|
||||
});
|
||||
|
||||
it('should not be enabled without a request origin header', function (done) {
|
||||
@ -142,4 +142,12 @@ describe('cors', function () {
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('should NOT add origin value to the vary header when not an OPTIONS request', function (done) {
|
||||
req.method = 'GET';
|
||||
corsCaching(req, res, function () {
|
||||
should.equal(res.vary.called, false);
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
Loading…
Reference in New Issue
Block a user