diff options
author | Diego R. B <diegorbaquero@gmail.com> | 2017-06-25 18:39:13 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-06-25 18:39:13 +0300 |
commit | f980be0093a20f9411090e098a9353f34b420bf6 (patch) | |
tree | f15020bd96e70daac2d17f8bfd299b7a9a94a24d /lib | |
parent | 45ebe4c3efd0d175fda23b58e5ff930a331c2d41 (diff) | |
parent | 526ec9a44980e95274b29e66278ea488f2681728 (diff) |
Merge pull request #1096 from webtorrent/feross/cors
Add `origin` option for torrent.createServer()
Diffstat (limited to 'lib')
-rw-r--r-- | lib/server.js | 30 |
1 files changed, 24 insertions, 6 deletions
diff --git a/lib/server.js b/lib/server.js index af1665d..be45ddc 100644 --- a/lib/server.js +++ b/lib/server.js @@ -7,8 +7,10 @@ var pump = require('pump') var rangeParser = require('range-parser') var url = require('url') -function Server (torrent, requestListener) { - var server = http.createServer(requestListener) +function Server (torrent, opts) { + var server = http.createServer() + if (!opts) opts = {} + if (!opts.origin) opts.origin = '*' // allow all origins by default var sockets = [] var pendingReady = [] @@ -41,6 +43,21 @@ function Server (torrent, requestListener) { else server.close(cb) } + function isOriginAllowed (req) { + // When `origin` option is `false`, deny all cross-origin requests + if (opts.origin === false) return false + + // Requests without an 'Origin' header are not actually cross-origin, so just + // deny them + if (req.headers.origin == null) return false + + // The user allowed all origins + if (opts.origin === '*') return true + + // Allow requests where the 'Origin' header matches the `opts.origin` setting + return req.headers.origin === opts.origin + } + function onConnection (socket) { socket.setTimeout(36000000) sockets.push(socket) @@ -56,9 +73,9 @@ function Server (torrent, requestListener) { return serve404Page() } - // Allow CORS requests to read responses - if (req.headers.origin) { - res.setHeader('Access-Control-Allow-Origin', req.headers.origin || '*') + // Allow cross-origin requests (CORS) + if (isOriginAllowed(req)) { + res.setHeader('Access-Control-Allow-Origin', req.headers.origin) } // Prevent browser mime-type sniffing @@ -68,7 +85,8 @@ function Server (torrent, requestListener) { // by responding to the OPTIONS preflight request with the specified // origin and requested headers. if (req.method === 'OPTIONS') { - return serveOptionsRequest() + if (isOriginAllowed(req)) return serveOptionsRequest() + else return serveMethodNotAllowed() } if (req.method === 'GET' || req.method === 'HEAD') { |