* @private * @param {{ [key: string]: string | undefined }} headers headers * @returns {boolean} true when is same origin, otherwise false
(headers)
| 3243 | * @returns {boolean} true when is same origin, otherwise false |
| 3244 | */ |
| 3245 | isSameOrigin(headers) { |
| 3246 | if (this.options.allowedHosts === "all") { |
| 3247 | return true; |
| 3248 | } |
| 3249 | |
| 3250 | const originHeader = headers.origin; |
| 3251 | |
| 3252 | if (!originHeader) { |
| 3253 | return this.options.allowedHosts === "all"; |
| 3254 | } |
| 3255 | |
| 3256 | if (DEFAULT_ALLOWED_PROTOCOLS.test(originHeader)) { |
| 3257 | return true; |
| 3258 | } |
| 3259 | |
| 3260 | const origin = this.#parseHostnameFromHeader(originHeader); |
| 3261 | |
| 3262 | if (origin === null) { |
| 3263 | return false; |
| 3264 | } |
| 3265 | |
| 3266 | if (this.isHostAllowed(origin)) { |
| 3267 | return true; |
| 3268 | } |
| 3269 | |
| 3270 | const hostHeader = headers.host; |
| 3271 | |
| 3272 | if (!hostHeader) { |
| 3273 | return this.options.allowedHosts === "all"; |
| 3274 | } |
| 3275 | |
| 3276 | if (DEFAULT_ALLOWED_PROTOCOLS.test(hostHeader)) { |
| 3277 | return true; |
| 3278 | } |
| 3279 | |
| 3280 | const host = this.#parseHostnameFromHeader(hostHeader); |
| 3281 | |
| 3282 | if (host === null) { |
| 3283 | return false; |
| 3284 | } |
| 3285 | |
| 3286 | if (this.isHostAllowed(host)) { |
| 3287 | return true; |
| 3288 | } |
| 3289 | |
| 3290 | // Treat all loopback aliases as equivalent: localhost may resolve to |
| 3291 | // 127.0.0.1 or ::1 depending on the OS, causing a false mismatch. |
| 3292 | // Only widen when allowedHosts is "auto" (default) or already permits a |
| 3293 | // loopback alias, so an explicit allow-list excluding loopback is honored. |
| 3294 | const loopbacks = new Set(["localhost", "127.0.0.1", "::1"]); |
| 3295 | const loopbackPermitted = |
| 3296 | this.options.allowedHosts === "auto" || |
| 3297 | [...loopbacks].some((alias) => this.isHostAllowed(alias)); |
| 3298 | if (loopbacks.has(origin) && loopbacks.has(host) && loopbackPermitted) { |
| 3299 | return true; |
| 3300 | } |
| 3301 | |
| 3302 | return origin === host; |
no test coverage detected