From 1c9c5428d2d2b09a0d189fd80178acbeb39fd4ef Mon Sep 17 00:00:00 2001 From: Joost de Bruijn Date: Tue, 2 Aug 2022 14:42:19 +0200 Subject: [PATCH 1/4] feat: handle private network requests --- README.md | 1 + lib/index.js | 16 ++++++++++++++ test/test.js | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 78 insertions(+) diff --git a/README.md b/README.md index c42d4a7..2945445 100644 --- a/README.md +++ b/README.md @@ -202,6 +202,7 @@ app.listen(80, function () { * `exposedHeaders`: Configures the **Access-Control-Expose-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex: `['Content-Range', 'X-Content-Range']`). If not specified, no custom headers are exposed. * `credentials`: Configures the **Access-Control-Allow-Credentials** CORS header. Set to `true` to pass the header, otherwise it is omitted. * `maxAge`: Configures the **Access-Control-Max-Age** CORS header. Set to an integer to pass the header, otherwise it is omitted. +* `allowPrivateNetworkAccess`: Configures the **Access-Control-Allow-Private-Network**. Set to `false` to disable Private Network Requests, otherwise it is allowed. * `preflightContinue`: Pass the CORS preflight response to the next handler. * `optionsSuccessStatus`: Provides a status code to use for successful `OPTIONS` requests, since some legacy browsers (IE11, various SmartTVs) choke on `204`. diff --git a/lib/index.js b/lib/index.js index ad899ca..a8d1acc 100644 --- a/lib/index.js +++ b/lib/index.js @@ -141,6 +141,21 @@ return null; } + function configurePrivateNetworkAccess(options, req) { + if (!options.hasOwnProperty('allowPrivateNetworkAccess')) { + // Allow Private Network Requests by default. + options.allowPrivateNetworkAccess = true; + } + + if (req.headers['access-control-request-private-network'] === 'true' && options.allowPrivateNetworkAccess) { + return { + key: 'Access-Control-Allow-Private-Network', + value: 'true' + }; + } + return null; + } + function applyHeaders(headers, res) { for (var i = 0, n = headers.length; i < n; i++) { var header = headers[i]; @@ -168,6 +183,7 @@ headers.push(configureAllowedHeaders(options, req)); headers.push(configureMaxAge(options)) headers.push(configureExposedHeaders(options)) + headers.push(configurePrivateNetworkAccess(options, req)) applyHeaders(headers, res); if (options.preflightContinue) { diff --git a/test/test.js b/test/test.js index f2a2e94..4437b3f 100644 --- a/test/test.js +++ b/test/test.js @@ -630,6 +630,67 @@ var util = require('util') // act cors()(req, res, next); }); + + it('allows private network requests when allowPrivateNetworkAccess is true', function (done) { + // arrange + var req, res, options, cb; + options = { + allowPrivateNetworkAccess: true, + }; + req = fakeRequest('OPTIONS', {'access-control-request-private-network': 'true'}); + res = fakeResponse(); + cb = after(1, done) + + res.on('finish', function () { + assert.equal(res.getHeader('Access-Control-Allow-Private-Network'), 'true') + cb() + }) + + // act + cors(options)(req, res, function (err) { + cb(err || new Error('should not be called')) + }); + }); + + it('denies private network requests when allowPrivateNetworkAccess is false', function (done) { + // arrange + var req, res, options, cb; + options = { + allowPrivateNetworkAccess: false, + }; + req = fakeRequest('OPTIONS', {'access-control-request-private-network': 'true'}); + res = fakeResponse(); + cb = after(1, done) + + res.on('finish', function () { + assert.equal(res.getHeader('Access-Control-Allow-Private-Network'), undefined) + cb() + }) + + // act + cors(options)(req, res, function (err) { + cb(err || new Error('should not be called')) + }); + }); + + it('allows private network requests when no options are set', function (done) { + // arrange + var req, res, options, cb; + options = {}; + req = fakeRequest('OPTIONS', {'access-control-request-private-network': 'true'}); + res = fakeResponse(); + cb = after(1, done) + + res.on('finish', function () { + assert.equal(res.getHeader('Access-Control-Allow-Private-Network'), 'true') + cb() + }) + + // act + cors(options)(req, res, function (err) { + cb(err || new Error('should not be called')) + }); + }); }); describe('passing a function to build options', function () { From 7ca1e418208e7a85519112a28e47a1b7fb5db531 Mon Sep 17 00:00:00 2001 From: Joost de Bruijn Date: Tue, 2 Aug 2022 16:56:24 +0200 Subject: [PATCH 2/4] fix: rename option to allowPrivateNetwork --- README.md | 2 +- lib/index.js | 6 +++--- test/test.js | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 2945445..604af02 100644 --- a/README.md +++ b/README.md @@ -202,7 +202,7 @@ app.listen(80, function () { * `exposedHeaders`: Configures the **Access-Control-Expose-Headers** CORS header. Expects a comma-delimited string (ex: 'Content-Range,X-Content-Range') or an array (ex: `['Content-Range', 'X-Content-Range']`). If not specified, no custom headers are exposed. * `credentials`: Configures the **Access-Control-Allow-Credentials** CORS header. Set to `true` to pass the header, otherwise it is omitted. * `maxAge`: Configures the **Access-Control-Max-Age** CORS header. Set to an integer to pass the header, otherwise it is omitted. -* `allowPrivateNetworkAccess`: Configures the **Access-Control-Allow-Private-Network**. Set to `false` to disable Private Network Requests, otherwise it is allowed. +* `allowPrivateNetwork`: Configures the **Access-Control-Allow-Private-Network**. Set to `false` to disable Private Network Requests, otherwise it is allowed. * `preflightContinue`: Pass the CORS preflight response to the next handler. * `optionsSuccessStatus`: Provides a status code to use for successful `OPTIONS` requests, since some legacy browsers (IE11, various SmartTVs) choke on `204`. diff --git a/lib/index.js b/lib/index.js index a8d1acc..a080ada 100644 --- a/lib/index.js +++ b/lib/index.js @@ -142,12 +142,12 @@ } function configurePrivateNetworkAccess(options, req) { - if (!options.hasOwnProperty('allowPrivateNetworkAccess')) { + if (!options.hasOwnProperty('allowPrivateNetwork')) { // Allow Private Network Requests by default. - options.allowPrivateNetworkAccess = true; + options.allowPrivateNetwork = true; } - if (req.headers['access-control-request-private-network'] === 'true' && options.allowPrivateNetworkAccess) { + if (req.headers['access-control-request-private-network'] === 'true' && options.allowPrivateNetwork) { return { key: 'Access-Control-Allow-Private-Network', value: 'true' diff --git a/test/test.js b/test/test.js index 4437b3f..4a2fb98 100644 --- a/test/test.js +++ b/test/test.js @@ -631,11 +631,11 @@ var util = require('util') cors()(req, res, next); }); - it('allows private network requests when allowPrivateNetworkAccess is true', function (done) { + it('allows private network requests when allowPrivateNetwork is true', function (done) { // arrange var req, res, options, cb; options = { - allowPrivateNetworkAccess: true, + allowPrivateNetwork: true, }; req = fakeRequest('OPTIONS', {'access-control-request-private-network': 'true'}); res = fakeResponse(); @@ -652,11 +652,11 @@ var util = require('util') }); }); - it('denies private network requests when allowPrivateNetworkAccess is false', function (done) { + it('denies private network requests when allowPrivateNetwork is false', function (done) { // arrange var req, res, options, cb; options = { - allowPrivateNetworkAccess: false, + allowPrivateNetwork: false, }; req = fakeRequest('OPTIONS', {'access-control-request-private-network': 'true'}); res = fakeResponse(); From 9035d0951bbeb09d0f0439ffb6e0f369090a76fc Mon Sep 17 00:00:00 2001 From: Joost de Bruijn Date: Tue, 2 Aug 2022 16:57:30 +0200 Subject: [PATCH 3/4] fix: add option to defaults object --- lib/index.js | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/lib/index.js b/lib/index.js index a080ada..eee06b3 100644 --- a/lib/index.js +++ b/lib/index.js @@ -9,7 +9,8 @@ origin: '*', methods: 'GET,HEAD,PUT,PATCH,POST,DELETE', preflightContinue: false, - optionsSuccessStatus: 204 + optionsSuccessStatus: 204, + allowPrivateNetwork: true, }; function isString(s) { @@ -142,11 +143,6 @@ } function configurePrivateNetworkAccess(options, req) { - if (!options.hasOwnProperty('allowPrivateNetwork')) { - // Allow Private Network Requests by default. - options.allowPrivateNetwork = true; - } - if (req.headers['access-control-request-private-network'] === 'true' && options.allowPrivateNetwork) { return { key: 'Access-Control-Allow-Private-Network', From 7e5ef4f6ea817e5156dcf13c1e75ded284acd8f2 Mon Sep 17 00:00:00 2001 From: Joost de Bruijn Date: Tue, 22 Aug 2023 15:54:34 +0200 Subject: [PATCH 4/4] fix: disable private network requests by default --- lib/index.js | 2 +- test/test.js | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/index.js b/lib/index.js index eee06b3..066202a 100644 --- a/lib/index.js +++ b/lib/index.js @@ -10,7 +10,7 @@ methods: 'GET,HEAD,PUT,PATCH,POST,DELETE', preflightContinue: false, optionsSuccessStatus: 204, - allowPrivateNetwork: true, + allowPrivateNetwork: false, }; function isString(s) { diff --git a/test/test.js b/test/test.js index 4a2fb98..5262f9f 100644 --- a/test/test.js +++ b/test/test.js @@ -673,7 +673,7 @@ var util = require('util') }); }); - it('allows private network requests when no options are set', function (done) { + it('denies private network requests when no options are set', function (done) { // arrange var req, res, options, cb; options = {}; @@ -682,7 +682,7 @@ var util = require('util') cb = after(1, done) res.on('finish', function () { - assert.equal(res.getHeader('Access-Control-Allow-Private-Network'), 'true') + assert.equal(res.getHeader('Access-Control-Allow-Private-Network'), undefined) cb() })