-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update CORS, add AMP-Same-Origin when Origin is missing on same origin requests #4879
Changes from 7 commits
62272b0
7a59a3e
25562ee
919c950
04f7ebc
68775e5
bd69c73
3b43eef
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -98,21 +98,7 @@ const SOURCE_ORIGIN_REGEX = new RegExp('^http://localhost:8000|' + | |
'^https?://.+\.herokuapp\.com:8000/'); | ||
|
||
app.use('/form/html/post', function(req, res) { | ||
if (!ORIGIN_REGEX.test(req.headers.origin)) { | ||
res.statusCode = 500; | ||
res.end(JSON.stringify({ | ||
message: 'Origin header is invalid.' | ||
})); | ||
return; | ||
} | ||
|
||
if (!SOURCE_ORIGIN_REGEX.test(req.query.__amp_source_origin)) { | ||
res.statusCode = 500; | ||
res.end(JSON.stringify({ | ||
message: '__amp_source_origin parameter is invalid.' | ||
})); | ||
return; | ||
} | ||
assertCors(req, res, ['POST']); | ||
|
||
var form = new formidable.IncomingForm(); | ||
form.parse(req, function(err, fields) { | ||
|
@@ -132,39 +118,83 @@ app.use('/form/html/post', function(req, res) { | |
}); | ||
}); | ||
|
||
app.use('/form/echo-json/post', function(req, res) { | ||
if (!ORIGIN_REGEX.test(req.headers.origin)) { | ||
res.statusCode = 500; | ||
res.end(JSON.stringify({ | ||
message: 'Origin header is invalid.' | ||
})); | ||
return; | ||
function assertCors(req, res, opt_validMethods) { | ||
const validMethods = opt_validMethods || ['GET', 'POST', 'OPTIONS']; | ||
const invalidMethod = req.method + ' method is not allowed. Use POST.'; | ||
const invalidOrigin = 'Origin header is invalid.'; | ||
const invalidSourceOrigin = '__amp_source_origin parameter is invalid.'; | ||
const unauthorized = 'Unauthorized Request'; | ||
var origin; | ||
|
||
if (validMethods.indexOf(req.method) == -1) { | ||
res.statusCode = 405; | ||
res.end(JSON.stringify({message: invalidMethod})); | ||
throw invalidMethod; | ||
} | ||
|
||
if (!SOURCE_ORIGIN_REGEX.test(req.query.__amp_source_origin)) { | ||
res.statusCode = 500; | ||
res.end(JSON.stringify({ | ||
message: '__amp_source_origin parameter is invalid.' | ||
})); | ||
return; | ||
if (req.headers.origin) { | ||
origin = req.headers.origin; | ||
if (!ORIGIN_REGEX.test(req.headers.origin)) { | ||
res.statusCode = 500; | ||
res.end(JSON.stringify({message: invalidOrigin})); | ||
throw invalidOrigin; | ||
} | ||
|
||
if (!SOURCE_ORIGIN_REGEX.test(req.query.__amp_source_origin)) { | ||
res.statusCode = 500; | ||
res.end(JSON.stringify({message: invalidSourceOrigin})); | ||
throw invalidSourceOrigin; | ||
} | ||
} else if (req.headers['amp-same-origin'] == 'true') { | ||
origin = getUrlPrefix(req); | ||
} else { | ||
res.statusCode = 401; | ||
res.end(JSON.stringify({message: unauthorized})); | ||
throw unauthorized; | ||
} | ||
|
||
res.setHeader('Access-Control-Allow-Credentials', 'true'); | ||
res.setHeader('Access-Control-Allow-Origin', origin); | ||
res.setHeader('Access-Control-Expose-Headers', | ||
'AMP-Access-Control-Allow-Source-Origin') | ||
res.setHeader('AMP-Access-Control-Allow-Source-Origin', | ||
req.query.__amp_source_origin); | ||
} | ||
|
||
app.use('/form/echo-json/post', function(req, res) { | ||
assertCors(req, res, ['POST']); | ||
var form = new formidable.IncomingForm(); | ||
form.parse(req, function(err, fields) { | ||
res.setHeader('Content-Type', 'application/json'); | ||
if (fields['email'] == '[email protected]') { | ||
res.statusCode = 500; | ||
} | ||
res.setHeader('Access-Control-Allow-Origin', | ||
req.headers.origin); | ||
res.setHeader('Access-Control-Expose-Headers', | ||
'AMP-Access-Control-Allow-Source-Origin') | ||
res.setHeader('AMP-Access-Control-Allow-Source-Origin', | ||
req.query.__amp_source_origin); | ||
res.end(JSON.stringify(fields)); | ||
}); | ||
}); | ||
|
||
|
||
app.use('/form/search-html/get', function(req, res) { | ||
res.setHeader('Content-Type', 'text/html'); | ||
res.end(` | ||
<h1>Here's results for your search<h1> | ||
<ul> | ||
<li>Result 1</li> | ||
<li>Result 2</li> | ||
<li>Result 3</li> | ||
</ul> | ||
`); | ||
}); | ||
|
||
|
||
app.use('/form/search-json/get', function(req, res) { | ||
assertCors(req, res, ['GET']); | ||
res.json({ | ||
results: [{title: 'Result 1'}, {title: 'Result 2'}, {title: 'Result 3'}] | ||
}); | ||
}); | ||
|
||
|
||
app.use('/share-tracking/get-outgoing-fragment', function(req, res) { | ||
res.setHeader('AMP-Access-Control-Allow-Source-Origin', | ||
req.protocol + '://' + req.headers.host); | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -15,8 +15,8 @@ | |
*/ | ||
|
||
import {startsWith} from './string'; | ||
import {dev, user} from './log'; | ||
import {assertHttpsUrl, getCorsUrl, SOURCE_ORIGIN_PARAM} from './url'; | ||
import {user} from './log'; | ||
import {assertHttpsUrl, checkCorsUrl, SOURCE_ORIGIN_PARAM} from './url'; | ||
import {urls} from './config'; | ||
|
||
|
||
|
@@ -59,21 +59,28 @@ export function onDocumentFormSubmit_(e) { | |
'Illegal input name, %s found: %s', SOURCE_ORIGIN_PARAM, inputs[i]); | ||
} | ||
|
||
const win = form.ownerDocument.defaultView; | ||
let action = form.getAttribute('action'); | ||
if (!form.__AMP_INIT_ACTION__) { | ||
form.__AMP_INIT_ACTION__ = action; | ||
} else { | ||
action = form.__AMP_INIT_ACTION__; | ||
const action = form.getAttribute('action'); | ||
const actionXhr = form.getAttribute('action-xhr'); | ||
const method = (form.getAttribute('method') || 'GET').toUpperCase(); | ||
if (method == 'GET') { | ||
user().assert(action, | ||
'form action attribute is required for method=GET: %s', form); | ||
assertHttpsUrl(action, /** @type {!Element} */ (form), 'action'); | ||
user().assert(!startsWith(action, urls.cdn), | ||
'form action should not be on AMP CDN: %s', form); | ||
checkCorsUrl(action); | ||
} else if (action) { | ||
e.preventDefault(); | ||
user().assert(false, | ||
'form action attribute is invalid for method=POST: %s', form); | ||
} else if (!actionXhr) { | ||
e.preventDefault(); | ||
user().assert(false, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Sorry, got my eyes crossed. It's already here :) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ack |
||
'Only XHR based (via action-xhr attribute) submissions are support ' + | ||
'for POST requests. %s', | ||
form); | ||
} | ||
user().assert(action, 'form action attribute is required: %s', form); | ||
assertHttpsUrl(action, dev().assertElement(form), 'action'); | ||
user().assert(!startsWith(action, urls.cdn), | ||
'form action should not be on AMP CDN: %s', form); | ||
|
||
// Update the form non-xhr action to add `__amp_source_origin` parameter. | ||
// This allows publishers to understand where the request is coming from. | ||
form.setAttribute('action', getCorsUrl(win, action)); | ||
checkCorsUrl(actionXhr); | ||
|
||
const target = form.getAttribute('target'); | ||
user().assert(target, 'form target attribute is required: %s', form); | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/cc @andreban @sebastianbenz for changes proposed to AMP CORS, to support in sample publisher as well.