npm - socket-function - Versions diffs - 0.66.0 → 0.68.0 - Mend

socket-function 0.66.0 → 0.68.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json +1 -1
package/require/RequireController.ts +9 -2
package/src/callHTTPHandler.ts +52 -0
package/src/corsCheck.ts +0 -0

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "socket-function",
-	"version": "0.66.0",
+	"version": "0.68.0",
 	"main": "index.js",
 	"license": "MIT",
 	"dependencies": {

package/require/RequireController.ts CHANGED Viewed

@@ -134,8 +134,9 @@ class RequireControllerBase {
     public async requireHTML(config?: {
         requireCalls?: string[];
+        cacheTime?: number;
     }) {
-        let { requireCalls } = config || {};
+        let { requireCalls, cacheTime } = config || {};
         let result = resolvedHTMLFile();
         if (beforeEntryText.length > 0) {
             let resolved: string[] = [];
@@ -166,7 +167,13 @@ class RequireControllerBase {
         } else {
             result = result.replace(ENTRY_TEMPLATE, "");
         }
-        return setHTTPResultHeaders(Buffer.from(result), { "Content-Type": "text/html" });
+        let headers: Record<string, string> = {
+            "Content-Type": "text/html"
+        };
+        if (cacheTime) {
+            headers["Cache-Control"] = `max-age=${Math.floor(cacheTime / 1000)}`;
+        }
+        return setHTTPResultHeaders(Buffer.from(result), headers);
     }
     public async getModules(

package/src/callHTTPHandler.ts CHANGED Viewed

@@ -61,6 +61,58 @@ export async function httpCallHandler(request: http.IncomingMessage, response: h
         // Don't keep alive, to prevent issues with zombie sockets.
         response.setHeader("Connection", "close");
+        // CORS bs (due to having to explictly allow subdomains)
+        {
+            response.setHeader("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload");
+            response.setHeader("Cross-Origin-Opener-Policy", "same-origin-allow-popups");
+            // NOTE: "credentialless" would work here too
+            response.setHeader("Cross-Origin-Embedder-Policy", "require-corp");
+            let origin = request.headers.origin || request.headers.referer;
+            let allowed = false;
+            if (!origin) {
+                // I guess it's a script, so just allow it (as it could easily set any header it wanted anyways)
+                allowed = true;
+                origin = "*";
+            } else {
+                let host = request.headers.host;
+                if (!host) {
+                    throw new Error("Missing host in request headers");
+                }
+                function rootDomain(hostname: string) {
+                    let parts = hostname.split(".");
+                    if (parts.length > 2) {
+                        return parts.slice(-2).join(".");
+                    }
+                    return hostname;
+                }
+                let hostDomain = rootDomain(host);
+                let originDomain = rootDomain(origin);
+                allowed = hostDomain === originDomain;
+                if (!allowed) {
+                    console.log(`Rejected CORS, hostDomain: ${hostDomain} !== ${originDomain}`);
+                }
+            }
+            // Allow if it has no origin, as that means it isn't a CORS request?
+            if (allowed) {
+                response.setHeader("Cross-Origin-Resource-Policy", "cross-origin");
+            } else {
+                response.setHeader("Cross-Origin-Resource-Policy", "same-site");
+            }
+            response.setHeader("vary", "Access-Control-Request-Headers");
+            response.setHeader("Access-Control-Allow-Origin", allowed ? origin : "");
+            if (allowed) {
+                response.setHeader("Access-Control-Allow-Credentials", "true");
+                response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
+                response.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, Content-Length, X-Requested-With, x-uncompressed-content-length, Cookie");
+            }
+            response.setHeader("Access-Control-Expose-Headers", "x-uncompressed-content-length");
+        }
         let urlBase = request.url;
         if (!urlBase) {
             throw new Error("Missing URL");

package/src/corsCheck.ts ADDED Viewed

File without changes