astro
Version:
Astro is a modern site builder with web best practices, performance, and DX front-of-mind.
48 lines (47 loc) • 1.46 kB
JavaScript
import { defineMiddleware } from "../middleware/index.js";
const FORM_CONTENT_TYPES = [
"application/x-www-form-urlencoded",
"multipart/form-data",
"text/plain"
];
function createOriginCheckMiddleware() {
return defineMiddleware((context, next) => {
const { request, url, isPrerendered } = context;
if (isPrerendered) {
return next();
}
if (request.method === "GET") {
return next();
}
const sameOrigin = (request.method === "POST" || request.method === "PUT" || request.method === "PATCH" || request.method === "DELETE") && request.headers.get("origin") === url.origin;
const hasContentType = request.headers.has("content-type");
if (hasContentType) {
const formLikeHeader = hasFormLikeHeader(request.headers.get("content-type"));
if (formLikeHeader && !sameOrigin) {
return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
status: 403
});
}
} else {
if (!sameOrigin) {
return new Response(`Cross-site ${request.method} form submissions are forbidden`, {
status: 403
});
}
}
return next();
});
}
function hasFormLikeHeader(contentType) {
if (contentType) {
for (const FORM_CONTENT_TYPE of FORM_CONTENT_TYPES) {
if (contentType.toLowerCase().includes(FORM_CONTENT_TYPE)) {
return true;
}
}
}
return false;
}
export {
createOriginCheckMiddleware
};