Skip to content

Commit e6daf34

Browse files
alexdimaalexdima
committed
Better simulate real-life CORS in code-web server
1 parent 58852ea commit e6daf34

File tree

1 file changed

+27
-6
lines changed

1 file changed

+27
-6
lines changed

resources/web/code-web.js

Lines changed: 27 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,14 @@ const BUILTIN_MARKETPLACE_EXTENSIONS_ROOT = path.join(APP_ROOT, '.build', 'built
2828
const WEB_DEV_EXTENSIONS_ROOT = path.join(APP_ROOT, '.build', 'builtInWebDevExtensions');
2929
const WEB_MAIN = path.join(APP_ROOT, 'src', 'vs', 'code', 'browser', 'workbench', 'workbench-dev.html');
3030

31+
// This is useful to simulate real world CORS
32+
const ALLOWED_CORS_ORIGINS = [
33+
'http://localhost:8081',
34+
'http://127.0.0.1:8081',
35+
'http://localhost:8080',
36+
'http://127.0.0.1:8080',
37+
];
38+
3139
const WEB_PLAYGROUND_VERSION = '0.0.10';
3240

3341
const args = minimist(process.argv, {
@@ -281,6 +289,17 @@ secondaryServer.on('error', err => {
281289
console.error(err);
282290
});
283291

292+
/**
293+
* @param {import('http').IncomingMessage} req
294+
*/
295+
function addCORSReplyHeader(req) {
296+
if (typeof req.headers['origin'] !== 'string') {
297+
// not a CORS request
298+
return false;
299+
}
300+
return (ALLOWED_CORS_ORIGINS.indexOf(req.headers['origin']) >= 0);
301+
}
302+
284303
/**
285304
* @param {import('http').IncomingMessage} req
286305
* @param {import('http').ServerResponse} res
@@ -291,9 +310,10 @@ async function handleStatic(req, res, parsedUrl) {
291310
if (/^\/static\/extensions\//.test(parsedUrl.pathname)) {
292311
const relativePath = decodeURIComponent(parsedUrl.pathname.substr('/static/extensions/'.length));
293312
const filePath = getExtensionFilePath(relativePath, (await builtInExtensionsPromise).locations);
294-
const responseHeaders = {
295-
'Access-Control-Allow-Origin': '*'
296-
};
313+
const responseHeaders = {};
314+
if (addCORSReplyHeader(req)) {
315+
responseHeaders['Access-Control-Allow-Origin'] = '*';
316+
}
297317
if (!filePath) {
298318
return serveError(req, res, 400, `Bad request.`, responseHeaders);
299319
}
@@ -315,9 +335,10 @@ async function handleExtension(req, res, parsedUrl) {
315335
// Strip `/extension/` from the path
316336
const relativePath = decodeURIComponent(parsedUrl.pathname.substr('/extension/'.length));
317337
const filePath = getExtensionFilePath(relativePath, (await commandlineProvidedExtensionsPromise).locations);
318-
const responseHeaders = {
319-
'Access-Control-Allow-Origin': '*'
320-
};
338+
const responseHeaders = {};
339+
if (addCORSReplyHeader(req)) {
340+
responseHeaders['Access-Control-Allow-Origin'] = '*';
341+
}
321342
if (!filePath) {
322343
return serveError(req, res, 400, `Bad request.`, responseHeaders);
323344
}

0 commit comments

Comments
 (0)