* Determines whether a request was initiated from the dev server's own * origin, to reject cross-site request forgery on state-changing endpoints. * @param {Request} req request * @returns {boolean} true when the request can be trusted as same-origin
(req)
| 3309 | * @returns {boolean} true when the request can be trusted as same-origin |
| 3310 | */ |
| 3311 | #isSameOriginRequest(req) { |
| 3312 | const headers = |
| 3313 | /** @type {{ [key: string]: string | undefined }} */ |
| 3314 | (req.headers); |
| 3315 | |
| 3316 | const secFetchSite = headers["sec-fetch-site"]; |
| 3317 | |
| 3318 | // Prefer `Sec-Fetch-Site`: browsers send it even for same-origin GET |
| 3319 | // `fetch`es (which omit `Origin`), and a cross-site page cannot forge it. |
| 3320 | // `none` is a user-initiated navigation. |
| 3321 | if (typeof secFetchSite === "string") { |
| 3322 | return secFetchSite === "same-origin" || secFetchSite === "none"; |
| 3323 | } |
| 3324 | |
| 3325 | // Without `Sec-Fetch-*` metadata (non-browser/legacy clients): a request |
| 3326 | // with no `Origin` header was not initiated by another origin's script; |
| 3327 | // otherwise fall back to the `Origin`/`Host` comparison. |
| 3328 | if (typeof headers.origin !== "string") { |
| 3329 | return true; |
| 3330 | } |
| 3331 | |
| 3332 | return this.isSameOrigin(headers); |
| 3333 | } |
| 3334 | |
| 3335 | /** |
| 3336 | * @param {ClientConnection[]} clients clients |
no test coverage detected