@cloudflare/vite-plugin 1.12.0 → 1.12.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/asset-workers/router-worker.js +18 -1
- package/dist/index.js +9739 -8569
- package/package.json +8 -8
|
@@ -4596,8 +4596,10 @@ var Analytics = class {
|
|
|
4596
4596
|
// blob4
|
|
4597
4597
|
this.data.coloRegion,
|
|
4598
4598
|
// blob5
|
|
4599
|
-
this.data.abuseMitigationURLHost
|
|
4599
|
+
this.data.abuseMitigationURLHost,
|
|
4600
4600
|
// blob6
|
|
4601
|
+
this.data.xssDetectionImageHref
|
|
4602
|
+
// blob7
|
|
4601
4603
|
]
|
|
4602
4604
|
});
|
|
4603
4605
|
}
|
|
@@ -6178,6 +6180,21 @@ var worker_default = {
|
|
|
6178
6180
|
}
|
|
6179
6181
|
}
|
|
6180
6182
|
}
|
|
6183
|
+
if (url.pathname === "/_image") {
|
|
6184
|
+
const hrefParam = url.searchParams.get("href");
|
|
6185
|
+
if (hrefParam && hrefParam.length > 2 && hrefParam.startsWith("//")) {
|
|
6186
|
+
try {
|
|
6187
|
+
const hrefUrl = new URL("https:" + hrefParam);
|
|
6188
|
+
const isImageFetchDest = request.headers.get("sec-fetch-dest") == "image";
|
|
6189
|
+
if (hrefUrl.hostname !== url.hostname && !isImageFetchDest) {
|
|
6190
|
+
analytics.setData({ xssDetectionImageHref: hrefParam });
|
|
6191
|
+
return new Response("Blocked", { status: 403 });
|
|
6192
|
+
}
|
|
6193
|
+
} catch {
|
|
6194
|
+
console.log(`Invalid href parameter in /_image: ${hrefParam}`);
|
|
6195
|
+
}
|
|
6196
|
+
}
|
|
6197
|
+
}
|
|
6181
6198
|
analytics.setData({
|
|
6182
6199
|
timeToDispatch: performance.now() - startTimeMs
|
|
6183
6200
|
});
|