@adobe/helix-html-pipeline 3.7.5 → 3.7.6

package/CHANGELOG.md

@@ -1,3 +1,10 @@
+## [3.7.6](https://github.com/adobe/helix-html-pipeline/compare/v3.7.5...v3.7.6) (2022-11-29)
+
+
+### Bug Fixes
+
+* improve custom header handling ([#205](https://github.com/adobe/helix-html-pipeline/issues/205)) ([3867fef](https://github.com/adobe/helix-html-pipeline/commit/3867fef601735ed8dc6921c0391bd0de148f0245)), closes [#204](https://github.com/adobe/helix-html-pipeline/issues/204) [#202](https://github.com/adobe/helix-html-pipeline/issues/202) [#199](https://github.com/adobe/helix-html-pipeline/issues/199)
+
 ## [3.7.5](https://github.com/adobe/helix-html-pipeline/compare/v3.7.4...v3.7.5) (2022-11-18)
 
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adobe/helix-html-pipeline",
-  "version": "3.7.5",
+  "version": "3.7.6",
   "description": "Helix HTML Pipeline",
   "main": "src/index.js",
   "types": "src/index.d.ts",
@@ -50,7 +50,7 @@
     "hast-util-to-html": "8.0.3",
     "hast-util-to-string": "2.0.0",
     "hastscript": "7.1.0",
-    "jose": "4.11.0",
+    "jose": "4.11.1",
     "mdast-util-gfm-footnote": "1.0.1",
     "mdast-util-gfm-strikethrough": "1.0.2",
     "mdast-util-gfm-table": "1.0.6",
@@ -83,16 +83,16 @@
     "@semantic-release/git": "10.0.1",
     "@semantic-release/npm": "9.0.1",
     "c8": "7.12.0",
-    "eslint": "8.27.0",
+    "eslint": "8.28.0",
     "eslint-import-resolver-exports": "1.0.0-beta.3",
     "eslint-plugin-header": "3.1.1",
     "eslint-plugin-import": "2.26.0",
-    "esmock": "2.0.7",
+    "esmock": "2.0.9",
     "husky": "8.0.2",
     "js-yaml": "4.1.0",
-    "jsdom": "20.0.2",
+    "jsdom": "20.0.3",
     "junit-report-builder": "3.0.1",
-    "lint-staged": "13.0.3",
+    "lint-staged": "13.0.4",
     "mocha": "10.1.0",
     "mocha-multi-reporters": "1.5.1",
     "remark-gfm": "3.0.1",

package/src/steps/set-custom-response-headers.js

@@ -9,7 +9,43 @@
  * OF ANY KIND, either express or implied. See the License for the specific language
  * governing permissions and limitations under the License.
  */
-import { cleanupHeaderValue } from '@adobe/helix-shared-utils';
+function cleanupHeaderValue(value) {
+  return value
+    .replace(/[^\t\u0020-\u007E\u0080-\u00FF]/g, '')
+    .substring(0, 1024 * 64);
+}
+
+/**
+ * Computes the access-control-allow-origin header value.
+ * The value can either be a single value or a comma separated list of origin names or patterns.
+ * If only a single static value is given (eg `*` or `https://www.adobe.com`), it is used verbatim.
+ * If multiple values are given, the one matching the origin request header is used.
+ * If any of the values is a regexp, the origin request header is used, if any match is given.
+ *
+ * @param {PipelineRequest} req
+ * @param {string} value
+ * @return {string} the access-control-allow-origin header value.
+ */
+function getACAOriginValue(req, value) {
+  /** @type string */
+  const origin = req.headers.get('origin') || '*';
+  const values = value.split(',')
+    .map((v) => v.trim());
+
+  if (values.length === 1 && !values[0].startsWith('/')) {
+    return values[0];
+  }
+
+  for (const v of values) {
+    if (v.startsWith('/') && v.endsWith('/') && new RegExp(v.substring(1, v.length - 1)).test(origin)) {
+      return origin;
+    }
+    if (v === origin) {
+      return origin;
+    }
+  }
+  return '';
+}
 
 /**
  * Decorates the pipeline response object with the headers defined in metadata.json.
@@ -23,7 +59,13 @@ export default function setCustomResponseHeaders(state, req, res) {
   Object.entries(state.headers.getModifiers(state.info.path)).forEach(([name, value]) => {
     // only use `link` header for extensionless pipeline
     if (name !== 'link' || (state.type === 'html' && state.info.selector === '')) {
-      res.headers.set(name, cleanupHeaderValue(value));
+      let val = cleanupHeaderValue(value);
+      if (name === 'access-control-allow-origin') {
+        val = getACAOriginValue(req, val);
+      }
+      if (val) {
+        res.headers.set(name, val);
+      }
     }
   });
 }