npm - socket-function - Versions diffs - 0.76.0 → 0.78.0 - Mend

socket-function 0.76.0 → 0.78.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/SocketFunction.ts CHANGED Viewed

@@ -65,6 +65,10 @@ export class SocketFunction {
     public static HTTP_COMPRESS = false;
+    // If you have HTTP resources that require cookies you might to set `SocketFunction.COEP = "require-corp"`
+    //  - Cross-origin-resource-policy.
+    public static COEP = "credentialless";
     // In retrospect... dynamically changing the wire serializer is a BAD idea. If any calls happen
     //  before it is changed, things just break. Also, it needs to be changed on both sides,
     //  or else things break. Also, it is very hard to detect when the issue is different serializers

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "socket-function",
-	"version": "0.76.0",
+	"version": "0.78.0",
 	"main": "index.js",
 	"license": "MIT",
 	"dependencies": {

package/src/callHTTPHandler.ts CHANGED Viewed

@@ -5,7 +5,7 @@ import { isDataImmutable, performLocalCall } from "./callManager";
 import { SocketFunction } from "../SocketFunction";
 import { gzip } from "zlib";
 import zlib from "zlib";
-import { formatNumberSuffixed, sha256Hash } from "./misc";
+import { formatNumberSuffixed, getRootDomain, sha256Hash } from "./misc";
 import { getClientNodeId, getNodeId } from "./nodeCache";
 let defaultHTTPCall: CallType | undefined;
@@ -65,8 +65,7 @@ export async function httpCallHandler(request: http.IncomingMessage, response: h
         {
             response.setHeader("Strict-Transport-Security", "max-age=63072000; includeSubDomains; preload");
             response.setHeader("Cross-Origin-Opener-Policy", "same-origin-allow-popups");
-            // NOTE: "credentialless" would work here too
-            response.setHeader("Cross-Origin-Embedder-Policy", "require-corp");
+            response.setHeader("Cross-Origin-Embedder-Policy", SocketFunction.COEP);
             let origin = request.headers.origin || request.headers.referer;
             let allowed = false;
@@ -79,18 +78,8 @@ export async function httpCallHandler(request: http.IncomingMessage, response: h
                 if (!host) {
                     throw new Error("Missing host in request headers");
                 }
-                function rootDomain(hostname: string) {
-                    let parts = hostname.split(".");
-                    hostname = parts.slice(-2).join(".");
-                    if (hostname.startsWith("https://")) {
-                        hostname = hostname.slice("https://".length);
-                    }
-                    hostname = hostname.split(":")[0];
-                    hostname = hostname.split("/")[0];
-                    return hostname;
-                }
-                let hostDomain = rootDomain(host);
-                let originDomain = rootDomain(origin);
+                let hostDomain = getRootDomain(host);
+                let originDomain = getRootDomain(origin);
                 allowed = hostDomain === originDomain;
                 if (!allowed) {
                     console.log(`Rejected CORS, hostDomain: ${hostDomain} !== ${originDomain}`);

package/src/misc.ts CHANGED Viewed

@@ -293,6 +293,17 @@ export function sort<T>(arr: T[], sortKey: (obj: T) => unknown) {
     return arr;
 }
+export function getRootDomain(hostname: string) {
+    if (hostname.startsWith("https://")) {
+        hostname = hostname.slice("https://".length);
+    }
+    hostname = hostname.split("/")[0];
+    let parts = hostname.split(".");
+    hostname = parts.slice(-2).join(".");
+    hostname = hostname.split(":")[0];
+    return hostname;
+}
 export class QueueLimited<T> {
     private items: T[] = [];
     private nextIndex = 0;

package/src/webSocketServer.ts CHANGED Viewed

@@ -11,7 +11,7 @@ import { parseSNIExtension, parseTLSHello, SNIType } from "./tlsParsing";
 import debugbreak from "debugbreak";
 import { getNodeId } from "./nodeCache";
 import crypto from "crypto";
-import { Watchable, timeInHour, timeInMinute } from "./misc";
+import { Watchable, getRootDomain, timeInHour, timeInMinute } from "./misc";
 import { delay, runInfinitePoll, runInfinitePollCallAtStart } from "./batching";
 import { magenta, red } from "./formatting/logColors";
 import { yellow } from "./formatting/logColors";
@@ -133,12 +133,14 @@ export async function startSocketServer(
             let originHeader = request.headers["origin"];
             if (originHeader) {
                 try {
-                    let host = new URL("ws://" + request.headers["host"]).hostname;
-                    let origin = new URL(originHeader).hostname;
+                    let host = getRootDomain(new URL("ws://" + request.headers["host"]).hostname);
+                    let origin = getRootDomain(new URL(originHeader).hostname);
                     if (host !== origin && !allowedHostnames.has(origin)) {
                         throw new Error(`Invalid cross domain request, ${JSON.stringify(host)} !== ${JSON.stringify(origin)} (also not in config.allowedHostnames ${JSON.stringify(config.allowHostnames)})`);
                     }
                 } catch (e) {
+                    // Destroy the socket, so we don't lock up the client
+                    socket.destroy();
                     // NOTE: Just log, because invalid requests are guaranteed to happen, and
                     //  there's no point wasting time looking at them.
                     console.log(e);
@@ -217,11 +219,13 @@ export async function startSocketServer(
                     console.log(buffer.toString("base64"));
                 }
                 let originalSNI = sni;
-                // Remove subdomains until we can find a domain
-                while (!sniServers.has(sni)) {
-                    let parts = sni.split(".");
-                    if (parts.length <= 2) break;
-                    sni = parts.slice(1).join(".");
+                if (sni) {
+                    // Remove subdomains until we can find a domain
+                    while (!sniServers.has(sni)) {
+                        let parts = sni.split(".");
+                        if (parts.length <= 2) break;
+                        sni = parts.slice(1).join(".");
+                    }
                 }
                 if (!sniServers.has(sni)) {