line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Mojolicious::Plugin::StrictCORS; |
2
|
1
|
|
|
1
|
|
855
|
use Mojo::Base 'Mojolicious::Plugin'; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
9
|
|
3
|
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
our $VERSION = "0.01_002"; |
5
|
|
|
|
|
|
|
$VERSION = eval $VERSION; |
6
|
|
|
|
|
|
|
|
7
|
1
|
|
|
1
|
|
1037
|
use constant DEFAULT_MAX_AGE => 3600; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
1948
|
|
8
|
|
|
|
|
|
|
|
9
|
|
|
|
|
|
|
sub register { |
10
|
0
|
|
|
0
|
1
|
|
my ($self, $app, $conf) = @_; |
11
|
|
|
|
|
|
|
|
12
|
0
|
|
0
|
|
|
|
$conf->{max_age} //= DEFAULT_MAX_AGE; |
13
|
0
|
|
0
|
|
|
|
$conf->{expose} //= []; |
14
|
|
|
|
|
|
|
|
15
|
|
|
|
|
|
|
# Get route options |
16
|
|
|
|
|
|
|
my $route_opts = sub { |
17
|
0
|
|
|
0
|
|
|
my ($route) = @_; |
18
|
|
|
|
|
|
|
|
19
|
0
|
|
|
|
|
|
my %opts; |
20
|
|
|
|
|
|
|
|
21
|
0
|
|
|
|
|
|
my @fields = qw/origin credentials expose methods headers/; |
22
|
|
|
|
|
|
|
|
23
|
0
|
|
|
|
|
|
while ($route) { |
24
|
0
|
|
|
|
|
|
for my $name (@fields) { |
25
|
0
|
0
|
|
|
|
|
next if exists $opts{$name}; |
26
|
0
|
0
|
|
|
|
|
next unless exists $route->to->{"cors_${name}"}; |
27
|
|
|
|
|
|
|
|
28
|
0
|
|
|
|
|
|
$opts{$name} = $route->to->{"cors_${name}"} |
29
|
|
|
|
|
|
|
} |
30
|
|
|
|
|
|
|
|
31
|
0
|
|
|
|
|
|
$route = $route->parent; |
32
|
|
|
|
|
|
|
} |
33
|
|
|
|
|
|
|
|
34
|
0
|
|
|
|
|
|
return %opts; |
35
|
0
|
|
|
|
|
|
}; |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
# Check Origin header |
38
|
|
|
|
|
|
|
my $check_origin = sub { |
39
|
0
|
|
|
0
|
|
|
my ($c, @allow) = @_; |
40
|
|
|
|
|
|
|
|
41
|
0
|
|
|
|
|
|
my $origin = $c->req->headers->origin; |
42
|
0
|
0
|
|
|
|
|
return unless defined $origin; |
43
|
|
|
|
|
|
|
|
44
|
0
|
0
|
|
|
|
|
return $origin if grep { not ref $_ and $_ eq '*' } @allow; |
|
0
|
0
|
|
|
|
|
|
45
|
|
|
|
|
|
|
|
46
|
|
|
|
|
|
|
return $origin if grep { |
47
|
0
|
0
|
|
|
|
|
if (not ref $_) { lc $origin eq lc $_ } |
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
48
|
0
|
|
|
|
|
|
elsif (ref $_ eq 'Regexp') { $origin =~ $_ } |
49
|
0
|
|
|
|
|
|
else { die "Wrong router config 'cors_origin'" } |
50
|
|
|
|
|
|
|
} @allow; |
51
|
|
|
|
|
|
|
|
52
|
0
|
|
|
|
|
|
$app->log->debug("Reject CORS Origin '$origin'"); |
53
|
|
|
|
|
|
|
|
54
|
0
|
|
|
|
|
|
return; # Fail |
55
|
0
|
|
|
|
|
|
}; |
56
|
|
|
|
|
|
|
|
57
|
|
|
|
|
|
|
# Check request method |
58
|
|
|
|
|
|
|
my $check_methods = sub { |
59
|
0
|
|
|
0
|
|
|
my ($c, @allow) = @_; |
60
|
|
|
|
|
|
|
|
61
|
0
|
|
|
|
|
|
my $method = $c->req->headers->header('Access-Control-Request-Method'); |
62
|
0
|
0
|
|
|
|
|
return unless defined $method; |
63
|
|
|
|
|
|
|
|
64
|
0
|
|
|
|
|
|
my $allow = join ", ", @allow; |
65
|
|
|
|
|
|
|
|
66
|
|
|
|
|
|
|
return $allow if grep { |
67
|
0
|
0
|
|
|
|
|
if (not ref $_) { uc $method eq uc $_ } |
|
0
|
0
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
68
|
0
|
|
|
|
|
|
else { die "Wrong router config 'cors_methods'" } |
69
|
|
|
|
|
|
|
} @allow; |
70
|
|
|
|
|
|
|
|
71
|
0
|
|
|
|
|
|
$app->log->debug("Reject CORS Method '$method'"); |
72
|
|
|
|
|
|
|
|
73
|
0
|
|
|
|
|
|
return; # Fail |
74
|
0
|
|
|
|
|
|
}; |
75
|
|
|
|
|
|
|
|
76
|
|
|
|
|
|
|
# Check request headers |
77
|
|
|
|
|
|
|
my $check_headers = sub { |
78
|
0
|
|
|
0
|
|
|
my ($c, @allow) = @_; |
79
|
|
|
|
|
|
|
|
80
|
0
|
|
|
|
|
|
my @safe_headers = qw/ |
81
|
|
|
|
|
|
|
Cache-Control |
82
|
|
|
|
|
|
|
Content-Language |
83
|
|
|
|
|
|
|
Content-Type |
84
|
|
|
|
|
|
|
Expires |
85
|
|
|
|
|
|
|
Last-Modified |
86
|
|
|
|
|
|
|
Pragma |
87
|
|
|
|
|
|
|
/; |
88
|
|
|
|
|
|
|
|
89
|
0
|
|
|
|
|
|
my %safe_headers = map { lc $_ => 1 } @safe_headers; |
|
0
|
|
|
|
|
|
|
90
|
0
|
|
|
|
|
|
my $allow = join ", ", @allow; |
91
|
|
|
|
|
|
|
|
92
|
0
|
|
|
|
|
|
my $headers = $c->req->headers->header('Access-Control-Request-Headers'); |
93
|
0
|
|
0
|
|
|
|
my @headers = map { lc } grep { $_ } split /,\s*/ms, $headers || ''; |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
94
|
|
|
|
|
|
|
|
95
|
0
|
0
|
|
|
|
|
return $allow unless @headers; |
96
|
|
|
|
|
|
|
|
97
|
|
|
|
|
|
|
return $allow unless grep { |
98
|
0
|
0
|
|
|
|
|
if (not ref $_) { not $safe_headers{ lc $_ } } |
|
0
|
0
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
99
|
0
|
|
|
|
|
|
else { die "Wrong router config 'cors_headers'" } |
100
|
|
|
|
|
|
|
} @allow; |
101
|
|
|
|
|
|
|
|
102
|
0
|
|
|
|
|
|
$app->log->debug("Reject CORS Headers '$headers'"); |
103
|
|
|
|
|
|
|
|
104
|
0
|
|
|
|
|
|
return; # Fail |
105
|
0
|
|
|
|
|
|
}; |
106
|
|
|
|
|
|
|
|
107
|
|
|
|
|
|
|
$app->hook(around_action => sub { |
108
|
0
|
|
|
0
|
|
|
my ($next, $c, $action, $last) = @_; |
109
|
|
|
|
|
|
|
|
110
|
|
|
|
|
|
|
# Only endpoints intrested |
111
|
0
|
0
|
|
|
|
|
return $next->() unless $last; |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
# Do not process preflight requests |
114
|
0
|
0
|
|
|
|
|
return $next->() if $c->req->method eq 'OPTIONS'; |
115
|
|
|
|
|
|
|
|
116
|
0
|
|
|
|
|
|
my %opts = $route_opts->($c->match->endpoint); |
117
|
|
|
|
|
|
|
|
118
|
0
|
|
0
|
|
|
|
my @opts_origin = @{$opts{origin} //= []}; |
|
0
|
|
|
|
|
|
|
119
|
0
|
0
|
|
|
|
|
return $next->() unless @opts_origin; |
120
|
|
|
|
|
|
|
|
121
|
0
|
|
|
|
|
|
my $h = $c->res->headers; |
122
|
0
|
|
|
|
|
|
$h->append('Vary' => 'Origin'); |
123
|
|
|
|
|
|
|
|
124
|
0
|
|
|
|
|
|
my $origin = $check_origin->($c, @opts_origin); |
125
|
0
|
0
|
|
|
|
|
return $next->() unless defined $origin; |
126
|
|
|
|
|
|
|
|
127
|
0
|
|
|
|
|
|
$h->header('Access-Control-Allow-Origin' => $origin); |
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
$h->header('Access-Control-Allow-Credentials' => 'true') |
130
|
0
|
0
|
0
|
|
|
|
if $opts{credentials} //= 0; |
131
|
|
|
|
|
|
|
|
132
|
0
|
|
0
|
|
|
|
my @opts_expose = (@{$conf->{expose}}, @{$opts{expose} //= []}); |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
133
|
0
|
0
|
|
|
|
|
if (@opts_expose) { |
134
|
0
|
|
|
|
|
|
my $opts_expose = join ", ", @opts_expose; |
135
|
0
|
|
|
|
|
|
$h->header('Access-Control-Expose-Headers' => $opts_expose); |
136
|
|
|
|
|
|
|
} |
137
|
|
|
|
|
|
|
|
138
|
0
|
|
|
|
|
|
$app->log->debug("Allow CORS Origin '$origin'"); |
139
|
|
|
|
|
|
|
|
140
|
0
|
|
|
|
|
|
return $next->(); |
141
|
0
|
|
|
|
|
|
}); |
142
|
|
|
|
|
|
|
|
143
|
|
|
|
|
|
|
# CORS Under |
144
|
|
|
|
|
|
|
$app->routes->add_shortcut(under_cors => sub { |
145
|
0
|
|
|
0
|
|
|
my ($r, @args) = @_; |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
$r->under(@args)->to( |
148
|
|
|
|
|
|
|
cb => sub { |
149
|
0
|
|
|
|
|
|
my ($c) = @_; |
150
|
|
|
|
|
|
|
|
151
|
|
|
|
|
|
|
# Not a CORS request, success |
152
|
0
|
0
|
|
|
|
|
return 1 unless defined $c->req->headers->origin; |
153
|
|
|
|
|
|
|
|
154
|
0
|
|
|
|
|
|
my %opts = $route_opts->($c->match->endpoint); |
155
|
|
|
|
|
|
|
|
156
|
|
|
|
|
|
|
# Route configured for CORS, success |
157
|
0
|
0
|
0
|
|
|
|
return 1 if @{$opts{origin} //= []}; |
|
0
|
|
|
|
|
|
|
158
|
|
|
|
|
|
|
|
159
|
0
|
|
|
|
|
|
$c->render(status => 403, text => "CORS Forbidden"); |
160
|
0
|
|
|
|
|
|
$app->log->debug("Forbidden CORS request"); |
161
|
|
|
|
|
|
|
|
162
|
0
|
|
|
|
|
|
return; # Fail |
163
|
|
|
|
|
|
|
} |
164
|
0
|
|
|
|
|
|
); |
165
|
0
|
|
|
|
|
|
}); |
166
|
|
|
|
|
|
|
|
167
|
|
|
|
|
|
|
# CORS Preflight |
168
|
|
|
|
|
|
|
$app->routes->add_shortcut(cors => sub { |
169
|
0
|
|
|
0
|
|
|
my ($r, @args) = @_; |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
$r->route(@args)->options->over( |
172
|
|
|
|
|
|
|
headers => { |
173
|
|
|
|
|
|
|
'Origin' => qr/\S/ms, |
174
|
|
|
|
|
|
|
'Access-Control-Request-Method' => qr/\S/ms |
175
|
|
|
|
|
|
|
} |
176
|
|
|
|
|
|
|
)->to( |
177
|
|
|
|
|
|
|
cb => sub { |
178
|
0
|
|
|
|
|
|
my ($c) = @_; |
179
|
|
|
|
|
|
|
|
180
|
0
|
|
|
|
|
|
my %opts = $route_opts->($c->match->endpoint); |
181
|
|
|
|
|
|
|
|
182
|
0
|
|
0
|
|
|
|
my @opts_origin = @{$opts{origin} //= []}; |
|
0
|
|
|
|
|
|
|
183
|
0
|
0
|
|
|
|
|
return $c->render(status => 204, data => '') |
184
|
|
|
|
|
|
|
unless @opts_origin; |
185
|
|
|
|
|
|
|
|
186
|
0
|
|
|
|
|
|
my $h = $c->res->headers; |
187
|
0
|
|
|
|
|
|
$h->append('Vary' => 'Origin'); |
188
|
|
|
|
|
|
|
|
189
|
0
|
|
|
|
|
|
my $origin = $check_origin->($c, @opts_origin); |
190
|
0
|
0
|
|
|
|
|
return $c->render(status => 204, data => '') |
191
|
|
|
|
|
|
|
unless defined $origin; |
192
|
|
|
|
|
|
|
|
193
|
0
|
|
0
|
|
|
|
my @opts_methods = @{$opts{methods} //= []}; |
|
0
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
push @opts_methods, 'HEAD' |
195
|
0
|
|
|
|
|
|
if grep { uc $_ eq 'GET' } @opts_methods |
196
|
0
|
0
|
0
|
|
|
|
and not grep { uc $_ eq 'HEAD' } @opts_methods; |
|
0
|
|
|
|
|
|
|
197
|
0
|
0
|
|
|
|
|
return $c->render(status => 204, data => '') |
198
|
|
|
|
|
|
|
unless @opts_methods; |
199
|
|
|
|
|
|
|
|
200
|
0
|
|
|
|
|
|
my $methods = $check_methods->($c, @opts_methods); |
201
|
0
|
0
|
|
|
|
|
return $c->render(status => 204, data => '') |
202
|
|
|
|
|
|
|
unless defined $methods; |
203
|
|
|
|
|
|
|
|
204
|
0
|
|
0
|
|
|
|
my @opts_headers = @{$opts{headers} //= []}; |
|
0
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
|
206
|
0
|
|
|
|
|
|
my $headers = $check_headers->($c, @opts_headers); |
207
|
0
|
0
|
|
|
|
|
return $c->render(status => 204, data => '') |
208
|
|
|
|
|
|
|
unless defined $headers; |
209
|
|
|
|
|
|
|
|
210
|
0
|
|
|
|
|
|
$h->header('Access-Control-Allow-Origin' => $origin); |
211
|
0
|
|
|
|
|
|
$h->header('Access-Control-Allow-Methods' => $methods); |
212
|
|
|
|
|
|
|
|
213
|
0
|
0
|
|
|
|
|
$h->header('Access-Control-Allow-Headers' => $headers) |
214
|
|
|
|
|
|
|
if $headers; |
215
|
|
|
|
|
|
|
|
216
|
|
|
|
|
|
|
$h->header('Access-Control-Allow-Credentials' => 'true') |
217
|
0
|
0
|
0
|
|
|
|
if $opts{credentials} //= 0; |
218
|
|
|
|
|
|
|
|
219
|
0
|
|
|
|
|
|
$h->header('Access-Control-Max-Age' => $conf->{max_age}); |
220
|
|
|
|
|
|
|
|
221
|
0
|
|
|
|
|
|
$app->log->debug("Accept CORS '$origin' => '$methods'"); |
222
|
|
|
|
|
|
|
|
223
|
0
|
|
|
|
|
|
return $c->render(status => 204, data => ''); |
224
|
|
|
|
|
|
|
} |
225
|
0
|
|
|
|
|
|
); |
226
|
0
|
|
|
|
|
|
}); |
227
|
|
|
|
|
|
|
} |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
1; |
230
|
|
|
|
|
|
|
|
231
|
|
|
|
|
|
|
__END__ |