Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions src/services/cors.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
const ALLOWED_LOOPBACK_HOSTS = new Set(["localhost", "127.0.0.1", "[::1]"]);
const CORS_ALLOWED_METHODS = "GET, POST, PUT, DELETE, OPTIONS";
const CORS_ALLOWED_HEADERS = "Content-Type";

export function isAllowedBrowserOrigin(origin: string | null): boolean {
if (!origin) return true;

try {
const url = new URL(origin);
return (
(url.protocol === "http:" || url.protocol === "https:") &&
ALLOWED_LOOPBACK_HOSTS.has(url.hostname)
);
} catch {
return false;
}
}

function corsHeaders(origin: string | null): Record<string, string> {
if (!origin || !isAllowedBrowserOrigin(origin)) return {};

return {
"Access-Control-Allow-Origin": origin,
"Access-Control-Allow-Methods": CORS_ALLOWED_METHODS,
"Access-Control-Allow-Headers": CORS_ALLOWED_HEADERS,
Vary: "Origin",
};
}

export function corsPreflightResponse(req: Request): Response {
const origin = req.headers.get("Origin");

if (!isAllowedBrowserOrigin(origin)) {
return disallowedCorsResponse();
}

return new Response(null, {
status: 204,
headers: {
...corsHeaders(origin),
"Access-Control-Max-Age": "600",
},
});
}

export function disallowedCorsResponse(): Response {
return new Response(
JSON.stringify({
success: false,
error: "Cross-origin requests are restricted to loopback origins.",
}),
{
status: 403,
headers: {
"Content-Type": "application/json",
},
}
);
}
13 changes: 10 additions & 3 deletions src/services/web-server-worker.ts
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { readFileSync } from "node:fs";
import { join, dirname } from "node:path";
import { fileURLToPath } from "node:url";
import { corsPreflightResponse, disallowedCorsResponse, isAllowedBrowserOrigin } from "./cors.js";
import {
handleListTags,
handleListMemories,
Expand Down Expand Up @@ -49,6 +50,15 @@ async function handleRequest(req: Request): Promise<Response> {
const url = new URL(req.url);
const path = url.pathname;
const method = req.method;
const origin = req.headers.get("Origin");

if (!isAllowedBrowserOrigin(origin)) {
return disallowedCorsResponse();
}

if (method === "OPTIONS") {
return corsPreflightResponse(req);
}

try {
if (path === "/" || path === "/index.html") {
Expand Down Expand Up @@ -289,9 +299,6 @@ function jsonResponse(data: any, status: number = 200): Response {
status,
headers: {
"Content-Type": "application/json",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
"Access-Control-Allow-Headers": "Content-Type",
},
});
}
Expand Down
13 changes: 10 additions & 3 deletions src/services/web-server.ts
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import { Readable } from "node:stream";
import { join, dirname } from "node:path";
import { fileURLToPath } from "node:url";
import { log } from "./logger.js";
import { corsPreflightResponse, disallowedCorsResponse, isAllowedBrowserOrigin } from "./cors.js";
import {
handleListTags,
handleListMemories,
Expand Down Expand Up @@ -289,6 +290,15 @@ export class WebServer {
const url = new URL(req.url);
const path = url.pathname;
const method = req.method;
const origin = req.headers.get("Origin");

if (!isAllowedBrowserOrigin(origin)) {
return disallowedCorsResponse();
}

if (method === "OPTIONS") {
return corsPreflightResponse(req);
}

try {
if (path === "/" || path === "/index.html") {
Expand Down Expand Up @@ -533,9 +543,6 @@ export class WebServer {
status,
headers: {
"Content-Type": "application/json",
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
"Access-Control-Allow-Headers": "Content-Type",
},
});
}
Expand Down
47 changes: 47 additions & 0 deletions tests/web-server-cors.test.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
import { describe, expect, it } from "bun:test";
import {
corsPreflightResponse,
disallowedCorsResponse,
isAllowedBrowserOrigin,
} from "../src/services/cors.js";

describe("web server CORS policy", () => {
it("allows non-browser requests without an Origin header", () => {
expect(isAllowedBrowserOrigin(null)).toBe(true);
});

it("allows loopback browser origins", () => {
expect(isAllowedBrowserOrigin("http://127.0.0.1:4747")).toBe(true);
expect(isAllowedBrowserOrigin("http://localhost:4747")).toBe(true);
expect(isAllowedBrowserOrigin("http://[::1]:4747")).toBe(true);
});

it("rejects non-loopback browser origins", () => {
expect(isAllowedBrowserOrigin("https://example.com")).toBe(false);
expect(isAllowedBrowserOrigin("null")).toBe(false);
});

it("returns a loopback-bound preflight response", () => {
const response = corsPreflightResponse(
new Request("http://127.0.0.1:4747/api/memories", {
method: "OPTIONS",
headers: {
Origin: "http://localhost:4747",
"Access-Control-Request-Method": "POST",
},
})
);

expect(response.status).toBe(204);
expect(response.headers.get("Access-Control-Allow-Origin")).toBe("http://localhost:4747");
expect(response.headers.get("Access-Control-Allow-Methods")).toContain("POST");
expect(response.headers.get("Vary")).toBe("Origin");
});

it("does not expose CORS headers on rejected origins", () => {
const response = disallowedCorsResponse();

expect(response.status).toBe(403);
expect(response.headers.get("Access-Control-Allow-Origin")).toBeNull();
});
});