Skip to content

Commit

Permalink
Merge pull request #91 from hapijs/cors-origin
Browse files Browse the repository at this point in the history 
Cors origin
  • Loading branch information
@stongo
stongo authored Aug 12, 2016
2 parents c73ed26 + b496431 commit 20975d8
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 7 deletions.
10 changes: 9 additions & 1 deletion lib/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ exports.register = function (server, options, next) {

if ((settings.autoGenerate ||
request.route.settings.plugins._crumb) &&
(request.route.settings.cors ? request.info.cors.isOriginMatch : true)) {
(request.route.settings.cors ? checkCORS(request) : true)) {

generate(request, reply);
}
Expand Down Expand Up @@ -154,6 +154,14 @@ exports.register = function (server, options, next) {
return reply.continue();
});

const checkCORS = function (request) {

if (request.headers.origin) {
return request.info.cors.isOriginMatch;
}
return true;
};

const generate = function (request, reply) {

let crumb = request.state[settings.key];
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "crumb",
"description": "CSRF crumb generation and validation plugin",
"version": "6.0.2",
"version": "6.0.3",
"repository": "git://github.com/hapijs/crumb",
"bugs": {
"url": "https://github.com/hapijs/crumb/issues"
Expand Down
16 changes: 11 additions & 5 deletions test/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -462,14 +462,20 @@ describe('Crumb', () => {
const header3 = res3.headers['set-cookie'];
expect(header3[0]).to.contain('crumb');

headers.origin = 'http://badsite.com';
server.inject({ method: 'GET', url: '/3' }, (res4) => {

server.inject({ method: 'GET', url: '/3', headers: headers }, (res4) => {
const header4 = res3.headers['set-cookie'];
expect(header4[0]).to.contain('crumb');

const header4 = res4.headers['set-cookie'];
expect(header4).to.not.exist();
headers.origin = 'http://badsite.com';

done();
server.inject({ method: 'GET', url: '/3', headers: headers }, (res5) => {

const header5 = res5.headers['set-cookie'];
expect(header5).to.not.exist();

done();
});
});
});
});
Expand Down

0 comments on commit 20975d8

Please sign in to comment.