MCPcopy
hub / github.com/webpack/webpack-dev-server / #isSameOriginRequest

Method #isSameOriginRequest

lib/Server.js:3311–3333  ·  view source on GitHub ↗

* Determines whether a request was initiated from the dev server's own * origin, to reject cross-site request forgery on state-changing endpoints. * @param {Request} req request * @returns {boolean} true when the request can be trusted as same-origin

(req)

Source from the content-addressed store, hash-verified

3309 * @returns {boolean} true when the request can be trusted as same-origin
3310 */
3311 #isSameOriginRequest(req) {
3312 const headers =
3313 /** @type {{ [key: string]: string | undefined }} */
3314 (req.headers);
3315
3316 const secFetchSite = headers["sec-fetch-site"];
3317
3318 // Prefer `Sec-Fetch-Site`: browsers send it even for same-origin GET
3319 // `fetch`es (which omit `Origin`), and a cross-site page cannot forge it.
3320 // `none` is a user-initiated navigation.
3321 if (typeof secFetchSite === "string") {
3322 return secFetchSite === "same-origin" || secFetchSite === "none";
3323 }
3324
3325 // Without `Sec-Fetch-*` metadata (non-browser/legacy clients): a request
3326 // with no `Origin` header was not initiated by another origin's script;
3327 // otherwise fall back to the `Origin`/`Host` comparison.
3328 if (typeof headers.origin !== "string") {
3329 return true;
3330 }
3331
3332 return this.isSameOrigin(headers);
3333 }
3334
3335 /**
3336 * @param {ClientConnection[]} clients clients

Callers 1

setupMiddlewaresMethod · 0.95

Calls 1

isSameOriginMethod · 0.95

Tested by

no test coverage detected