| Index: runtime/bin/vmservice/server.dart
|
| diff --git a/runtime/bin/vmservice/server.dart b/runtime/bin/vmservice/server.dart
|
| index 8d6a932ffc515acb8995632adad54ba59434f970..e1cb822f6afd0cfab29a8c26006578aea2dd4433 100644
|
| --- a/runtime/bin/vmservice/server.dart
|
| +++ b/runtime/bin/vmservice/server.dart
|
| @@ -79,9 +79,8 @@ class HttpRequestClient extends Client {
|
| static ContentType jsonContentType =
|
| new ContentType("application", "json", charset: "utf-8");
|
| final HttpRequest request;
|
| - final List<String> _allowedOrigins;
|
|
|
| - HttpRequestClient(this.request, VMService service, this._allowedOrigins)
|
| + HttpRequestClient(this.request, VMService service)
|
| : super(service, sendEvents:false);
|
|
|
| disconnect() {
|
| @@ -95,15 +94,9 @@ class HttpRequestClient extends Client {
|
| return;
|
| }
|
| HttpResponse response = request.response;
|
| + // We closed the connection for bad origins earlier.
|
| + response.headers.add('Access-Control-Allow-Origin', '*');
|
| response.headers.contentType = jsonContentType;
|
| - final origins = request.headers['Origin'];
|
| - if ((origins != null) && (origins.isNotEmpty)) {
|
| - final uri = Uri.parse(origins.first);
|
| - final noPortOrigin = new Uri(host: uri.host, scheme: uri.scheme).origin;
|
| - if (_allowedOrigins.contains(noPortOrigin)) {
|
| - response.headers.add('Access-Control-Allow-Origin', uri.origin);
|
| - }
|
| - }
|
| if (result is String) {
|
| response.write(result);
|
| } else {
|
| @@ -131,7 +124,6 @@ class Server {
|
| final String _ip;
|
| final int _port;
|
| final bool _originCheckDisabled;
|
| - final List<String> _allowedOrigins = <String>[];
|
| HttpServer _server;
|
| bool get running => _server != null;
|
| bool _displayMessages = false;
|
| @@ -140,22 +132,27 @@ class Server {
|
| _displayMessages = (_ip != '127.0.0.1' || _port != 8181);
|
| }
|
|
|
| - void _addOrigin(String host, String port) {
|
| - if (port == null) {
|
| - String origin = 'http://$host';
|
| - _allowedOrigins.add(origin);
|
| - } else {
|
| - String origin = 'http://$host:$port';
|
| - _allowedOrigins.add(origin);
|
| + bool _isAllowedOrigin(String origin) {
|
| + Uri uri;
|
| + try {
|
| + uri = Uri.parse(origin);
|
| + } catch (_) {
|
| + return false;
|
| }
|
| - }
|
|
|
| - bool _isAllowedOrigin(String origin) {
|
| - for (String allowedOrigin in _allowedOrigins) {
|
| - if (origin.startsWith(allowedOrigin)) {
|
| - return true;
|
| - }
|
| + // Explicitly add localhost and 127.0.0.1 on any port (necessary for
|
| + // adb port forwarding).
|
| + if ((uri.host == 'localhost') ||
|
| + (uri.host == '127.0.0.1')) {
|
| + return true;
|
| }
|
| +
|
| + if ((uri.port == _server.port) &&
|
| + ((uri.host == _server.address.address) ||
|
| + (uri.host == _server.address.host))) {
|
| + return true;
|
| + }
|
| +
|
| return false;
|
| }
|
|
|
| @@ -248,7 +245,7 @@ class Server {
|
| }
|
| // HTTP based service request.
|
| try {
|
| - var client = new HttpRequestClient(request, _service, _allowedOrigins);
|
| + var client = new HttpRequestClient(request, _service);
|
| var message = new Message.fromUri(client, request.uri);
|
| client.onMessage(null, message);
|
| } catch (e) {
|
| @@ -264,23 +261,13 @@ class Server {
|
| return new Future.value(this);
|
| }
|
|
|
| - // Clear allowed origins.
|
| - _allowedOrigins.clear();
|
| -
|
| var address = new InternetAddress(_ip);
|
| // Startup HTTP server.
|
| return HttpServer.bind(address, _port).then((s) {
|
| _server = s;
|
| _server.listen(_requestHandler, cancelOnError: true);
|
| - var ip = _server.address.address.toString();
|
| - var port = _server.port.toString();
|
| - // Add the numeric ip and host name to our allowed origins.
|
| - _addOrigin(ip, port);
|
| - _addOrigin(_server.address.host.toString(), port);
|
| - // Explicitly add localhost and 127.0.0.1 on any port (necessary for
|
| - // adb port forwarding).
|
| - _addOrigin('127.0.0.1', null);
|
| - _addOrigin('localhost', null);
|
| + var ip = _server.address.address;
|
| + var port = _server.port;
|
| if (_displayMessages) {
|
| print('Observatory listening on http://$ip:$port');
|
| }
|
|
|
Chromium Code Reviews
Issue 2298943004:
Fix bad origin check. (Closed)
