fix(security): check cross origin requests

Author: sapphi-red

lib/Server.js

@@ -2209,6 +2209,32 @@ class Server{
 this.options.onBeforeSetupMiddleware(this);
 }
 
+// Register setup cross origin request check for securityAdd commentMore actions
+middlewares.push({
+name: "cross-origin-header-check",
+/**
+ * @param{Request} req
+ * @param{Response} res
+ * @param{NextFunction} next
+ * @returns{void}
+ */
+middleware: (req,res,next)=>{
+constheaders=
+/** @type{{[key: string]: string | undefined }} */
+(req.headers);
+if(
+headers["sec-fetch-mode"]==="no-cors"&&
+headers["sec-fetch-site"]==="cross-site"
+){
+res.statusCode=403;
+res.end("Cross-Origin request blocked");
+return;
+}
+
+next();
+},
+});
+
 if(typeofthis.options.headers!=="undefined"){
 middlewares.push({
 name: "set-headers",

test/e2e/cross-origin-request.test.js

@@ -0,0 +1,118 @@
+"use strict";
+
+constwebpack=require("webpack");
+constServer=require("../../lib/Server");
+constconfig=require("../fixtures/client-config/webpack.config");
+construnBrowser=require("../helpers/run-browser");
+const[port1,port2]=require("../ports-map")["cross-origin-request"];
+
+describe("cross-origin requests",()=>{
+constdevServerPort=port1;
+consthtmlServerPort=port2;
+consthtmlServerHost="127.0.0.1";
+
+it("should return 403 for cross-origin no-cors non-module script tag requests",async()=>{
+constcompiler=webpack(config);
+constdevServerOptions={
+port: devServerPort,
+allowedHosts: "auto",
+};
+constserver=newServer(devServerOptions,compiler);
+
+awaitserver.start();
+
+// Start a separate server for serving the HTML file
+consthttp=require("http");
+consthtmlServer=http.createServer((req,res)=>{
+res.writeHead(200,{"Content-Type": "text/html"});
+res.end(`
+ <html>
+ <head>
+ <script src="http://localhost:${devServerPort}/main.js"></script>
+ </head>
+ <body></body>
+ </html>
+ `);
+});
+htmlServer.listen(htmlServerPort,htmlServerHost);
+
+const{ page, browser }=awaitrunBrowser();
+try{
+constpageErrors=[];
+
+page.on("pageerror",(error)=>{
+pageErrors.push(error);
+});
+
+constscriptTagRequest=page.waitForResponse(
+`http://localhost:${devServerPort}/main.js`
+);
+
+awaitpage.goto(`http://${htmlServerHost}:${htmlServerPort}`);
+
+constresponse=awaitscriptTagRequest;
+
+expect(response.status()).toBe(403);
+}catch(error){
+throwerror;
+}finally{
+awaitbrowser.close();
+awaitserver.stop();
+htmlServer.close();
+}
+});
+
+it("should return 200 for cross-origin cors non-module script tag requests",async()=>{
+constcompiler=webpack(config);
+constdevServerOptions={
+port: devServerPort,
+allowedHosts: "auto",
+headers: {
+"Access-Control-Allow-Origin": "*",
+},
+};
+constserver=newServer(devServerOptions,compiler);
+
+awaitserver.start();
+
+// Start a separate server for serving the HTML file
+consthttp=require("http");
+consthtmlServer=http.createServer((req,res)=>{
+res.writeHead(200,{"Content-Type": "text/html"});
+res.end(`
+ <html>
+ <head>
+ <script src="http://localhost:${devServerPort}/main.js" crossorigin></script>
+ </head>
+ <body></body>
+ </html>
+ `);
+});
+htmlServer.listen(htmlServerPort,htmlServerHost);
+
+const{ page, browser }=awaitrunBrowser();
+try{
+constpageErrors=[];
+
+page.on("pageerror",(error)=>{
+pageErrors.push(error);
+});
+
+constscriptTagRequest=page.waitForResponse(
+`http://localhost:${devServerPort}/main.js`
+);
+
+awaitpage.goto(`http://${htmlServerHost}:${htmlServerPort}`);
+
+constresponse=awaitscriptTagRequest;
+
+expect(response.status()).toBe(200);
+}catch(error){
+throwerror;
+}finally{
+awaitbrowser.close();
+awaitserver.stop();
+htmlServer.close();
+}
+});
+});

test/ports-map.js

@@ -80,6 +80,7 @@ const listOfTests ={
 "normalize-option": 1,
 "setup-middlewares-option": 1,
 "options-request-response": 2,
+"cross-origin-request": 2,
 };
 
 letstartPort=8089;