Paul Melnikow
GitHub
@@ -49,7 +49,9 @@ export default class SuggestionAndSearch extends React.Component {
|
||||
let suggestions
|
||||
try {
|
||||
const json = await res.json()
|
||||
suggestions = json.badges
|
||||
// This doesn't validate the response. The default value here prevents
|
||||
// a crash if the server returns {"err":"Disallowed"}.
|
||||
suggestions = json.badges || []
|
||||
} catch (e) {
|
||||
suggestions = []
|
||||
}
|
||||
|
||||
@@ -107,16 +107,31 @@ function setRoutes(allowedOrigin, githubApiProvider, server) {
|
||||
server.ajax.on('suggest/v1', (data, end, ask) => {
|
||||
// The typical dev and production setups are cross-origin. However, in
|
||||
// Heroku deploys and some self-hosted deploys these requests may come from
|
||||
// the same host.
|
||||
// the same host. Chrome does not send an Origin header on same-origin
|
||||
// requests, but Firefox does.
|
||||
//
|
||||
// It would be better to solve this problem using some well-tested
|
||||
// middleware.
|
||||
const origin = ask.req.headers.origin
|
||||
if (origin) {
|
||||
if (allowedOrigin.includes(origin)) {
|
||||
ask.res.setHeader('Access-Control-Allow-Origin', origin)
|
||||
} else {
|
||||
let host
|
||||
try {
|
||||
host = new URL(origin).hostname
|
||||
} catch (e) {
|
||||
ask.res.setHeader('Access-Control-Allow-Origin', 'null')
|
||||
end({ err: 'Disallowed' })
|
||||
return
|
||||
}
|
||||
|
||||
if (host !== ask.req.headers.host) {
|
||||
if (allowedOrigin.includes(origin)) {
|
||||
ask.res.setHeader('Access-Control-Allow-Origin', origin)
|
||||
} else {
|
||||
ask.res.setHeader('Access-Control-Allow-Origin', 'null')
|
||||
end({ err: 'Disallowed' })
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
let url
|
||||
|
||||
@@ -195,8 +195,8 @@
|
||||
"wait-promise": "^0.4.1"
|
||||
},
|
||||
"engines": {
|
||||
"node": ">= 8.x",
|
||||
"npm": "5.x"
|
||||
"node": ">= 8",
|
||||
"npm": ">= 5"
|
||||
},
|
||||
"babel": {
|
||||
"presets": [
|
||||
|
||||
Reference in New Issue
Block a user