Zengtudor/Nuxt
1
0
Fork 0
mirror of https://github.com/nuxt/nuxt.git synced 2025-02-14 20:58:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(webpack): disallow cross-site requests in no-cors mode (#30757)

Browse Source
This commit is contained in:
Daniel Roe 2025-01-28 23:22:16 +01:00 committed by GitHub
parent c01050f7ba
commit ca7b609aa6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
packages/webpack/src/webpack.ts
View File

@ -1,6 +1,6 @@
import pify from 'pify' import pify from 'pify'
import { resolve } from 'pathe' import { resolve } from 'pathe'
import { defineEventHandler, fromNodeMiddleware, handleCors, setHeader } from 'h3' import { createError, defineEventHandler, fromNodeMiddleware, getRequestHeader, handleCors, setHeader } from 'h3'
import type { H3CorsOptions } from 'h3' import type { H3CorsOptions } from 'h3'
import type { IncomingMessage, MultiWatching, ServerResponse } from 'webpack-dev-middleware' import type { IncomingMessage, MultiWatching, ServerResponse } from 'webpack-dev-middleware'
import webpackDevMiddleware from 'webpack-dev-middleware' import webpackDevMiddleware from 'webpack-dev-middleware'
@ -146,6 +146,12 @@ function wdmToH3Handler (devMiddleware: webpackDevMiddleware.API<IncomingMessage
if (isPreflight) { if (isPreflight) {
return null return null
} }
// disallow cross-site requests in no-cors mode
if (getRequestHeader(event, 'sec-fetch-mode') === 'no-cors' && getRequestHeader(event, 'sec-fetch-site') === 'cross-site') {
throw createError({ statusCode: 403 })
}
setHeader(event, 'Vary', 'Origin') setHeader(event, 'Vary', 'Origin')
event.context.webpack = { event.context.webpack = {