Skip to content

Commit

Permalink
Merge HEAD
Browse files Browse the repository at this point in the history
  • Loading branch information
@tiberiuichim
tiberiuichim committed Dec 6, 2019
2 parents 647d24d + 7c63482 commit 4375c7c
Show file tree
Hide file tree
Showing 2 changed files with 64 additions and 51 deletions.
15 changes: 12 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,15 @@ if (module.hot) {
}
```

Configure the allowed_cors_destinations in config.settings or provide a system
environment variable named ALLOWED_CORS_DESTINATIONS, which is a list of comma
separated hostnames.
In the ``config.js`` file, add a new key to the ``settings`` variable, named
``allowed_cors_destinations``. This is an array of strings, each string being
a hostname that will be allowed as proxy destination. For example, to allow
embedding files from the eea.europa.eu domain, set the settings like:

```
settings.allowed_cors_destinations = ['eea.europa.eu']
```

Another option is to provide a system environment variable named
ALLOWED_CORS_DESTINATIONS, which is a list of comma separated hostnames.
100 changes: 52 additions & 48 deletions src/server.jsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,59 +59,63 @@ const allowed_cors_destinations = [
...env_destinations,
];

server
.disable('x-powered-by')
.use(express.static(process.env.RAZZLE_PUBLIC_DIR))
function handleAll(req, res, next) {
const match = req.path.match(/\/cors-proxy\/(.*)/);
if (match && match.length === 2) {
// console.log('CORS method on path', req.path);

.all('/*', function(req, res, next) {
const match = req.path.match(/\/cors-proxy\/(.*)/);
if (match && match.length === 2) {
const targetURL = match[1];
const parsed = url.parse(targetURL);
const targetURL = match[1];
const parsed = url.parse(targetURL);

// TODO: use regex matching
if (allowed_cors_destinations.indexOf(parsed.host) === -1) {
res.set({
'Cache-Control': 'public, max-age=60, no-transform',
});
if (allowed_cors_destinations.indexOf(parsed.host) === -1) {
res.set({
'Cache-Control': 'public, max-age=60, no-transform',
});

console.error(`Not proxying: ${targetURL}`);
res.status(409).send(`<!doctype html><html><body>
Error, CORS proxy destination not allowed</body></html>
`);
return;
}

res
.status(500)
.send(`<!doctype html><html><body>Error, not allowed</body></html>`);
return;
}

// Set CORS headers: allow all origins, methods, and headers:
// you may want to lock this down in a production environment
res.header(
'Access-Control-Allow-Origin',
settings.allow_cors_origin || '*',
);
res.header('Access-Control-Allow-Methods', 'GET');
// res.header('Access-Control-Allow-Headers', '');

if (req.method === 'OPTIONS') {
res.send(); // CORS Preflight
} else {
request(
{
url: targetURL,
method: req.method,
json: req.body,
headers: { Authorization: req.header('Authorization') },
},
function(error, response, body) {
if (error) {
console.error('error: ' + response.statusCode);
}
// console.log(body);
},
).pipe(res);
}
// Set CORS headers: allow all origins, methods, and headers:
// you may want to lock this down in a production environment
res.header(
'Access-Control-Allow-Origin',
settings.allow_cors_origin || '*',
);
res.header('Access-Control-Allow-Methods', 'GET');
// res.header('Access-Control-Allow-Headers', '');

if (req.method === 'OPTIONS') {
res.send(); // CORS Preflight
} else {
next();
request(
{
url: targetURL,
method: req.method,
json: req.body,
headers: { Authorization: req.header('Authorization') },
},
function(error, response, body) {
if (error) {
console.error('error: ' + response.statusCode);
}
// console.log(body);
},
).pipe(res);
}
})
} else {
next();
}
}

server
.disable('x-powered-by')
.use(express.static(process.env.RAZZLE_PUBLIC_DIR))

.all('/*', handleAll)

.get('/*', (req, res) => {
plugToRequest(req, res);
Expand Down

0 comments on commit 4375c7c

Please sign in to comment.