diff options
| author | Feross Aboukhadijeh <feross@feross.org> | 2017-04-08 04:02:07 +0300 |
|---|---|---|
| committer | Feross Aboukhadijeh <feross@feross.org> | 2017-04-08 04:02:07 +0300 |
| commit | 526ec9a44980e95274b29e66278ea488f2681728 (patch) | |
| tree | a17f7e749fd366bdb20c94840289552af0b94040 /lib/server.js | |
| parent | 873be1411054332d21b0e5b65f8508a243615a26 (diff) | |
Add `origin` option for torrent.createServer()
When the origin option is specified, only requests from the given
origin will be allowed.
This is useful to add additional security to any app that is starting a
WebTorrent server but doesn't want it to be exposed to the entire Web.
Diffstat (limited to 'lib/server.js')
| -rw-r--r-- | lib/server.js | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/lib/server.js b/lib/server.js index af1665d..be45ddc 100644 --- a/lib/server.js +++ b/lib/server.js @@ -7,8 +7,10 @@ var pump = require('pump') var rangeParser = require('range-parser') var url = require('url') -function Server (torrent, requestListener) { - var server = http.createServer(requestListener) +function Server (torrent, opts) { + var server = http.createServer() + if (!opts) opts = {} + if (!opts.origin) opts.origin = '*' // allow all origins by default var sockets = [] var pendingReady = [] @@ -41,6 +43,21 @@ function Server (torrent, requestListener) { else server.close(cb) } + function isOriginAllowed (req) { + // When `origin` option is `false`, deny all cross-origin requests + if (opts.origin === false) return false + + // Requests without an 'Origin' header are not actually cross-origin, so just + // deny them + if (req.headers.origin == null) return false + + // The user allowed all origins + if (opts.origin === '*') return true + + // Allow requests where the 'Origin' header matches the `opts.origin` setting + return req.headers.origin === opts.origin + } + function onConnection (socket) { socket.setTimeout(36000000) sockets.push(socket) @@ -56,9 +73,9 @@ function Server (torrent, requestListener) { return serve404Page() } - // Allow CORS requests to read responses - if (req.headers.origin) { - res.setHeader('Access-Control-Allow-Origin', req.headers.origin || '*') + // Allow cross-origin requests (CORS) + if (isOriginAllowed(req)) { + res.setHeader('Access-Control-Allow-Origin', req.headers.origin) } // Prevent browser mime-type sniffing @@ -68,7 +85,8 @@ function Server (torrent, requestListener) { // by responding to the OPTIONS preflight request with the specified // origin and requested headers. if (req.method === 'OPTIONS') { - return serveOptionsRequest() + if (isOriginAllowed(req)) return serveOptionsRequest() + else return serveMethodNotAllowed() } if (req.method === 'GET' || req.method === 'HEAD') { |