From 595dd81455e06f6c961e6b3398e5b1e0afdcb476 Mon Sep 17 00:00:00 2001 From: Bobby Date: Mon, 2 May 2022 13:58:04 +0700 Subject: [PATCH] feat: apply access-control-allow-origin globally instead of only on some arbitrary routes configurable via config, please check sample, disabled by default i still recommend configuring from your own http server (nginx, etc.), if you want to have a more complex per-routes headers --- config.sample.js | 29 ++++++++++++++++++++++++----- lolisafe.js | 22 +++++++++++++++------- 2 files changed, 39 insertions(+), 12 deletions(-) diff --git a/config.sample.js b/config.sample.js index 131087c..1119841 100644 --- a/config.sample.js +++ b/config.sample.js @@ -138,14 +138,18 @@ module.exports = { /* Helmet security headers. https://github.com/helmetjs/helmet/tree/v5.0.2#how-it-works + + These headers will be applied to ALL resources, including API endpoints, + and files if you serve them with node. + If you need to disable some of the headers at certain routes, it's recommended + to instead use own http server (nginx, etc.) in front of lolisafe and configure from there. + + NOTE: You may set "helmet" option as an empty object {} to disable Helmet entirely. + Setting it as any falsy value will instead apply some default configurations. */ helmet: { contentSecurityPolicy: false, - /* - Cross-Origin-* headers were enabled by default since Helmet v5.0.0 - However, for installations that use own http server for files (nginx, etc.), - these headers also need to be configured in there. - */ + // Cross-Origin-* headers were enabled by default since Helmet v5.0.0 crossOriginEmbedderPolicy: false, crossOriginOpenerPolicy: false, crossOriginResourcePolicy: false, @@ -161,6 +165,21 @@ module.exports = { originAgentCluster: false }, + /* + Access-Control-Allow-Origin + https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin + These headers will be applied to ALL resources, including API endpoints, + and files if you serve them with node. + + If set to true, it will be set as wildcard (*). + If set to any falsy value, it will be not set altogether. + Otherwise if any string value, it will be set as-is. + + Whether to use this in conjunction with Cross-Origin-* headers depends on your needs. + FAQ: https://resourcepolicy.fyi/#acao + */ + accessControlAllowOrigin: false, + /* Trust proxy. Enable this if you are using proxy such as Cloudflare or Incapsula, diff --git a/lolisafe.js b/lolisafe.js index bc77fda..0fc2d00 100644 --- a/lolisafe.js +++ b/lolisafe.js @@ -77,6 +77,20 @@ if (config.helmet instanceof Object) { safe.use(helmet(defaults)) } +// Access-Control-Allow-Origin +if (config.accessControlAllowOrigin) { + if (config.accessControlAllowOrigin === true) { + config.accessControlAllowOrigin = '*' + } + safe.use((req, res, next) => { + res.set('Access-Control-Allow-Origin', config.accessControlAllowOrigin) + if (config.accessControlAllowOrigin !== '*') { + res.vary('Origin') + } + next() + }) +} + if (config.trustProxy) { safe.set('trust proxy', 1) } @@ -105,9 +119,7 @@ safe.use(bodyParser.urlencoded({ extended: true })) safe.use(bodyParser.json()) const cdnPages = [...config.pages] -let setHeaders = res => { - res.set('Access-Control-Allow-Origin', '*') -} +let setHeaders const contentTypes = config.overrideContentTypes && Object.keys(config.overrideContentTypes) const overrideContentTypes = (res, path) => { @@ -187,7 +199,6 @@ if (config.cacheControl) { if (config.serveFilesWithNode) { initServeStaticUploads({ setHeaders: (res, path) => { - res.set('Access-Control-Allow-Origin', '*') // Override Content-Type if necessary if (contentTypes && contentTypes.length) { overrideContentTypes(res, path) @@ -205,13 +216,11 @@ if (config.cacheControl) { // This requires the assets to use version in their query string, // as they will be cached by clients for a very long time. setHeaders = res => { - res.set('Access-Control-Allow-Origin', '*') res.set('Cache-Control', cacheControls.static) } // Consider album ZIPs static as well, since they use version in their query string safe.use(['/api/album/zip'], (req, res, next) => { - res.set('Access-Control-Allow-Origin', '*') const versionString = parseInt(req.query.v) if (versionString > 0) { res.set('Cache-Control', cacheControls.static) @@ -223,7 +232,6 @@ if (config.cacheControl) { } else if (config.serveFilesWithNode) { initServeStaticUploads({ setHeaders: (res, path) => { - res.set('Access-Control-Allow-Origin', '*') // Override Content-Type if necessary if (contentTypes && contentTypes.length) { overrideContentTypes(res, path)