Skip to content

Commit 134ec9b

Browse files
ltomesfengmk2
ltomes
authored and
fengmk2
committedMar 12, 2022
feat: support secure context headers
see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer/Planned_changes allow to use SharedArrayBuffer modified by #82
·
5.0.03.2.0
1 parent f416c97 commit 134ec9b

File tree

3 files changed

+67
-1
lines changed

3 files changed

+67
-1
lines changed
 

‎README.md

+1
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,7 @@ app.use(cors());
5555
* - {String|Number} maxAge `Access-Control-Max-Age` in seconds
5656
* - {Boolean|Function(ctx)} credentials `Access-Control-Allow-Credentials`, default is false.
5757
* - {Boolean} keepHeadersOnError Add set headers to `err.header` if an error is thrown
58+
* - {Boolean} secureContext `Cross-Origin-Opener-Policy` & `Cross-Origin-Embedder-Policy` headers.', default is false
5859
* @return {Function} cors middleware
5960
* @api public
6061
*/

‎index.js

+14-1
Original file line numberDiff line numberDiff line change
@@ -13,12 +13,15 @@ const vary = require('vary');
1313
* - {String|Number} maxAge `Access-Control-Max-Age` in seconds
1414
* - {Boolean} credentials `Access-Control-Allow-Credentials`
1515
* - {Boolean} keepHeadersOnError Add set headers to `err.header` if an error is thrown
16+
* - {Boolean} secureContext `Cross-Origin-Opener-Policy` & `Cross-Origin-Embedder-Policy` headers.', default is false
17+
* @see https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer/Planned_changes
1618
* @return {Function} cors middleware
1719
* @api public
1820
*/
1921
module.exports = function(options) {
2022
const defaults = {
2123
allowMethods: 'GET,HEAD,PUT,POST,DELETE,PATCH',
24+
secureContext: false,
2225
};
2326

2427
options = {
@@ -43,7 +46,7 @@ module.exports = function(options) {
4346
}
4447

4548
options.keepHeadersOnError = options.keepHeadersOnError === undefined || !!options.keepHeadersOnError;
46-
49+
4750
return async function cors(ctx, next) {
4851
// If the Origin header is not present terminate this set of steps.
4952
// The request is outside the scope of this specification.
@@ -91,6 +94,11 @@ module.exports = function(options) {
9194
set('Access-Control-Expose-Headers', options.exposeHeaders);
9295
}
9396

97+
if (options.secureContext) {
98+
set('Cross-Origin-Opener-Policy', 'same-origin');
99+
set('Cross-Origin-Embedder-Policy', 'require-corp');
100+
}
101+
94102
if (!options.keepHeadersOnError) {
95103
return await next();
96104
}
@@ -133,6 +141,11 @@ module.exports = function(options) {
133141
ctx.set('Access-Control-Allow-Methods', options.allowMethods);
134142
}
135143

144+
if (options.secureContext) {
145+
set('Cross-Origin-Opener-Policy', 'same-origin');
146+
set('Cross-Origin-Embedder-Policy', 'require-corp');
147+
}
148+
136149
let allowHeaders = options.allowHeaders;
137150
if (!allowHeaders) {
138151
allowHeaders = ctx.get('Access-Control-Request-Headers');

‎test/cors.test.js

+52
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,58 @@ describe('cors.test.js', function() {
7979
});
8080
});
8181

82+
describe('options.secureContext=true', function() {
83+
const app = new Koa();
84+
app.use(cors({
85+
secureContext: true,
86+
}));
87+
app.use(function(ctx) {
88+
ctx.body = { foo: 'bar' };
89+
});
90+
91+
it('should always set `Cross-Origin-Opener-Policy` & `Cross-Origin-Embedder-Policy` on not OPTIONS', function(done) {
92+
request(app.listen())
93+
.get('/')
94+
.set('Origin', 'http://koajs.com')
95+
.expect('Cross-Origin-Opener-Policy', 'same-origin')
96+
.expect('Cross-Origin-Embedder-Policy', 'require-corp')
97+
.expect({ foo: 'bar' })
98+
.expect(200, done);
99+
});
100+
101+
it('should always set `Cross-Origin-Opener-Policy` & `Cross-Origin-Embedder-Policy` on OPTIONS', function(done) {
102+
request(app.listen())
103+
.options('/')
104+
.set('Origin', 'http://koajs.com')
105+
.set('Access-Control-Request-Method', 'PUT')
106+
.expect('Cross-Origin-Opener-Policy', 'same-origin')
107+
.expect('Cross-Origin-Embedder-Policy', 'require-corp')
108+
.expect(204, done);
109+
});
110+
});
111+
112+
describe('options.secureContext=false', function() {
113+
const app = new Koa();
114+
app.use(cors({
115+
secureContext: false,
116+
}));
117+
app.use(function(ctx) {
118+
ctx.body = { foo: 'bar' };
119+
});
120+
121+
it('should not set `Cross-Origin-Opener-Policy` & `Cross-Origin-Embedder-Policy`', function(done) {
122+
request(app.listen())
123+
.get('/')
124+
.set('Origin', 'http://koajs.com')
125+
.expect(res => {
126+
assert(!('Cross-Origin-Opener-Policy' in res.headers));
127+
assert(!('Cross-Origin-Embedder-Policy' in res.headers));
128+
})
129+
.expect({ foo: 'bar' })
130+
.expect(200, done);
131+
});
132+
});
133+
82134
describe('options.origin=function', function() {
83135
const app = new Koa();
84136
app.use(cors({

0 commit comments

Comments
 (0)
Please sign in to comment.