@theia/core
Version:
Theia is a cloud & desktop IDE framework implemented in TypeScript.
56 lines (48 loc) • 2.31 kB
text/typescript
// *****************************************************************************
// Copyright (C) 2020 Ericsson and others.
//
// This program and the accompanying materials are made available under the
// terms of the Eclipse Public License v. 2.0 which is available at
// http://www.eclipse.org/legal/epl-2.0.
//
// This Source Code may also be made available under the following Secondary
// Licenses when the conditions for such availability set forth in the Eclipse
// Public License v. 2.0 are satisfied: GNU General Public License, version 2
// with the GNU Classpath Exception which is available at
// https://www.gnu.org/software/classpath/license.html.
//
// SPDX-License-Identifier: EPL-2.0 OR GPL-2.0-only WITH Classpath-exception-2.0
// *****************************************************************************
import * as http from 'http';
import { inject, injectable } from 'inversify';
import { WsRequestValidatorContribution } from '../ws-request-validators';
import { BackendApplicationHosts } from './backend-application-hosts';
()
export class WsOriginValidator implements WsRequestValidatorContribution {
(BackendApplicationHosts)
protected readonly backendApplicationHosts: BackendApplicationHosts;
allowWsUpgrade(request: http.IncomingMessage): boolean {
if (!request.headers.origin) {
// Browsers omit the Origin header for same-origin requests (e.g. Socket.IO polling).
// Absent Origin is safe: cross-origin browser requests always include it.
return true;
}
let originHost: string;
try {
originHost = new URL(request.headers.origin).host;
} catch {
return false;
}
if (this.backendApplicationHosts.hasKnownHosts()) {
// When THEIA_HOSTS is configured, validate against the explicit allowlist.
return this.backendApplicationHosts.hosts.has(originHost);
}
// When THEIA_HOSTS is not configured (the common development/default case),
// enforce same-origin: the Origin's host must match the request's Host header.
const hostHeader = request.headers.host;
if (!hostHeader) {
return false;
}
return originHost === hostHeader;
}
}