fix: Ensure Access-Control-Allow-Origin header contains valid origin (#68)

nzakas · web-flow · commit 0e529ee72362 · 2025-02-27T13:45:26.000-05:00
* fix: Ensure Access-Control-Allow-Origin header contains valid origin

* Fix FetchMocker

* Fix Origin detection
diff --git a/src/cors.js b/src/cors.js
@@ -245,6 +245,20 @@ function isCorsSafeListedRequestHeader(name, value) {
 	
 }
 
+/**
+ * Checks if a string is a valid origin.
+ * @param {string} origin The origin to validate.
+ * @returns {boolean} `true` if the origin is valid, `false` otherwise.
+*/
+function isValidOrigin(origin) {
+	try {
+		new URL(origin);
+		return true;
+	} catch {
+		return false;
+	}
+}
+
 //-----------------------------------------------------------------------------
 // Exports
 //-----------------------------------------------------------------------------
@@ -298,27 +312,51 @@ export class CorsPreflightError extends CorsError {
  * Asserts that the response has the correct CORS headers.
  * @param {Response} response The response to check.
  * @param {string} origin The origin to check against.
+ * @param {boolean} isPreflight `true` if this is a preflight request, `false` otherwise.
  * @returns {void}
  * @throws {Error} When the response doesn't have the correct CORS headers.
  */
-export function assertCorsResponse(response, origin) {
+export function assertCorsResponse(response, origin, isPreflight = false) {
 	const originHeader = response.headers.get(CORS_ALLOW_ORIGIN);
+	const NetworkError = isPreflight ? CorsPreflightError : CorsError;
 
 	if (!originHeader) {
-		throw new CorsPreflightError(
+		throw new NetworkError(
 			response.url,
 			origin,
 			"No 'Access-Control-Allow-Origin' header is present on the requested resource.",
 		);
 	}
-
-	if (originHeader !== "*" && originHeader !== origin) {
-		throw new CorsError(
+	
+	// multiple values are not allowed
+	if (originHeader.includes(",")) {
+		throw new NetworkError(
 			response.url,
 			origin,
-			`The 'Access-Control-Allow-Origin' header has a value '${originHeader}' that is not equal to the supplied origin.`,
+			`The 'Access-Control-Allow-Origin' header contains multiple values '${originHeader}', but only one is allowed.`,
 		);
 	}
+	
+	if (originHeader !== "*") {
+		// must be a valid origin
+		if (!isValidOrigin(origin)) {
+			throw new NetworkError(
+				response.url,
+				origin,
+				`The 'Access-Control-Allow-Origin' header contains the invalid value '${originHeader}'.`,
+			);
+		}
+
+		const originUrl = new URL(origin);
+		
+		if (originUrl.origin !== originHeader) {
+			throw new NetworkError(
+				response.url,
+				origin,
+				`The 'Access-Control-Allow-Origin' header has a value '${originHeader}' that is not equal to the supplied origin.`,
+			);
+		}
+	}
 }
 
 /**
diff --git a/src/fetch-mocker.js b/src/fetch-mocker.js
@@ -461,7 +461,7 @@ export class FetchMocker {
 			);
 		}
 
-		assertCorsResponse(preflightResponse, this.#baseUrl.origin);
+		assertCorsResponse(preflightResponse, this.#baseUrl.origin, true);
 
 		// create the preflight data
 		preflightData = new CorsPreflightData(preflightResponse.headers);
diff --git a/tests/cors.test.js b/tests/cors.test.js
@@ -2,14 +2,14 @@
  * @fileoverview Tests for the CORS utilities.
  * @autor Nicholas C. Zakas
  */
-/* global Request, Headers */
+/* global Request, Headers, Response */
 
 //-----------------------------------------------------------------------------
 // Imports
 //-----------------------------------------------------------------------------
 
 import assert from "node:assert";
-import { isCorsSimpleRequest, getUnsafeHeaders } from "../src/cors.js";
+import { isCorsSimpleRequest, getUnsafeHeaders, assertCorsResponse } from "../src/cors.js";
 
 //-----------------------------------------------------------------------------
 // Tests
@@ -251,4 +251,98 @@ describe("http", () => {
 			);
 		});
 	});
+
+	describe("assertCorsResponse()", () => {
+		it("should not throw when Access-Control-Allow-Origin is *", () => {
+			const headers = new Headers({
+				"Access-Control-Allow-Origin": "*"
+			});
+			const response = new Response(null, { headers });
+			
+			assert.doesNotThrow(() => {
+				assertCorsResponse(response, "https://example.com");
+			});
+		});
+
+		it("should not throw when Access-Control-Allow-Origin matches origin", () => {
+			const origin = "https://example.com";
+			const headers = new Headers({
+				"Access-Control-Allow-Origin": origin
+			});
+			const response = new Response(null, { headers });
+			
+			assert.doesNotThrow(() => {
+				assertCorsResponse(response, origin);
+			});
+		});
+
+		it("should throw when Access-Control-Allow-Origin header is missing", () => {
+			const response = new Response();
+			const origin = "https://example.com";
+			
+			assert.throws(() => {
+				assertCorsResponse(response, origin);
+			}, {
+				name: "CorsError",
+				message: `Access to fetch at '${response.url}' from origin '${origin}' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.`
+			});
+		});
+
+		it("should throw when Access-Control-Allow-Origin doesn't match origin", () => {
+			const headers = new Headers({
+				"Access-Control-Allow-Origin": "https://example.com"
+			});
+			const response = new Response(null, { headers });
+			const origin = "https://other.com";
+			
+			assert.throws(() => {
+				assertCorsResponse(response, origin);
+			}, {
+				name: "CorsError",
+				message: `Access to fetch at '${response.url}' from origin '${origin}' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://example.com' that is not equal to the supplied origin.`
+			});
+		});
+
+		it("should throw when Access-Control-Allow-Origin contains multiple values", () => {
+			const headers = new Headers({
+				"Access-Control-Allow-Origin": "https://example.com, https://other.com"
+			});
+			const response = new Response(null, { headers });
+			const origin = "https://example.com";
+			
+			assert.throws(() => {
+				assertCorsResponse(response, origin);
+			}, {
+				name: "CorsError",
+				message: `Access to fetch at '${response.url}' from origin '${origin}' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header contains multiple values 'https://example.com, https://other.com', but only one is allowed.`
+			});
+		});
+
+		it("should throw CorsPreflightError when Access-Control-Allow-Origin header is missing in preflight", () => {
+			const response = new Response();
+			const origin = "https://example.com";
+			
+			assert.throws(() => {
+				assertCorsResponse(response, origin, true);
+			}, {
+				name: "CorsPreflightError",
+				message: `Access to fetch at '${response.url}' from origin '${origin}' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.`
+			});
+		});
+
+		it("should throw CorsPreflightError when Access-Control-Allow-Origin doesn't match origin in preflight", () => {
+			const headers = new Headers({
+				"Access-Control-Allow-Origin": "https://example.com"
+			});
+			const response = new Response(null, { headers });
+			const origin = "https://other.com";
+			
+			assert.throws(() => {
+				assertCorsResponse(response, origin, true);
+			}, {
+				name: "CorsPreflightError",
+				message: `Access to fetch at '${response.url}' from origin '${origin}' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://example.com' that is not equal to the supplied origin.`
+			});
+		});
+	});
 });
diff --git a/tests/fetch-mocker.test.js b/tests/fetch-mocker.test.js
@@ -841,8 +841,8 @@ describe("FetchMocker", () => {
 				server.get("/hello", 200);
 
 				await assert.rejects(fetchMocker.fetch(url), {
-					name: "CorsPreflightError",
-					message: `Access to fetch at '${url.href}' from origin '${origin}' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.`,
+					name: "CorsError",
+					message: `Access to fetch at '${url.href}' from origin '${origin}' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.`,
 				});
 			});
 
@@ -1446,8 +1446,8 @@ describe("FetchMocker", () => {
 					await assert.rejects(
 						fetchMocker.fetch(url, { headers: { Custom: "Foo" } }),
 						{
-							name: "CorsError",
-							message: `Access to fetch at '${url.href}' from origin '${origin}' has been blocked by CORS policy: The 'Access-Control-Allow-Origin' header has a value 'https://api.example.com' that is not equal to the supplied origin.`,
+							name: "CorsPreflightError",
+							message: `Access to fetch at '${url.href}' from origin '${origin}' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header has a value 'https://api.example.com' that is not equal to the supplied origin.`,
 						},
 					);
 				});

Original file line number	Diff line number	Diff line change
`@@ -461,7 +461,7 @@ export class FetchMocker {`
`461`	`461`	`);`
`462`	`462`	`}`
`463`	`463`
`464`		`- assertCorsResponse(preflightResponse, this.#baseUrl.origin);`
	`464`	`+ assertCorsResponse(preflightResponse, this.#baseUrl.origin, true);`
`465`	`465`
`466`	`466`	`// create the preflight data`
`467`	`467`	`preflightData = new CorsPreflightData(preflightResponse.headers);`