From 484067bdc4f9c041b9caf17fc4652a8f2e194242 Mon Sep 17 00:00:00 2001 From: Erwin Mombay Date: Mon, 4 Jan 2016 15:58:51 -0800 Subject: [PATCH] fix(cid): localhost should only be considered as proxy if prefix is c or --- src/service/cid-impl.js | 15 ++++++--------- test/functional/test-cid.js | 6 +++++- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/src/service/cid-impl.js b/src/service/cid-impl.js index ee92a45c0a12..1a742e8efaa7 100644 --- a/src/service/cid-impl.js +++ b/src/service/cid-impl.js @@ -24,7 +24,6 @@ import {assert} from '../asserts'; import {getCookie} from '../cookies'; -import {getMode} from '../mode'; import {getService} from '../service'; import {parseUrl} from '../url'; import {timer} from '../timer'; @@ -126,10 +125,13 @@ function getExternalCid(cid, externalCidScope, persistenceConsent) { * factored into its own package. */ export function isProxyOrigin(url) { + const path = url.pathname.split('/'); + const prefix = path[1]; // List of well known proxy hosts. New proxies must be added here // to generate correct tokens. return (url.origin == 'https://cdn.ampproject.org' || - url.origin.indexOf('http://localhost:') == 0); + (url.origin.indexOf('http://localhost:') == 0 && + (prefix == 'c' || prefix == 'v'))); } /** @@ -147,13 +149,8 @@ export function getSourceOrigin(url) { // The /s/ is optional and signals a secure origin. const path = url.pathname.split('/'); const prefix = path[1]; - const mode = getMode(); - // whitelist while localdev and file is in build/ or examples/ - if (!(mode.localDev && - (prefix == 'examples.build' || prefix == 'examples'))) { - assert(prefix == 'c' || prefix == 'v', - 'Unknown path prefix in url %s', url.href); - } + assert(prefix == 'c' || prefix == 'v', + 'Unknown path prefix in url %s', url.href); const domainOrHttpsSignal = path[2]; const origin = domainOrHttpsSignal == 's' ? 'https://' + path[3] diff --git a/test/functional/test-cid.js b/test/functional/test-cid.js index 9d6e620bf002..4c817c9e90d0 100644 --- a/test/functional/test-cid.js +++ b/test/functional/test-cid.js @@ -380,7 +380,11 @@ describe('isProxyOrigin', () => { testProxyOrigin( 'https://cdn.ampproject.org/v/www.origin.com/foo/?f=0', true); testProxyOrigin( - 'http://localhost:123', true); + 'http://localhost:123', false); + testProxyOrigin( + 'http://localhost:123/c', true); + testProxyOrigin( + 'http://localhost:123/v', true); testProxyOrigin( 'https://cdn.ampproject.net/v/www.origin.com/foo/?f=0', false); testProxyOrigin(