Skip to content

Commit

Permalink
Track URI status for the CORS bouncer
Browse files Browse the repository at this point in the history
A host can and has returned different CORS headers per HTTP endpoint.
Because of this, we cannot reliably assume that the entire hostname is
either CORS-safe or not.
  • Loading branch information
samholmes committed Aug 23, 2024
1 parent 0d6cc66 commit e15bd6e
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 6 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

## Unreleased

- fixed: Use full URI to determine whether a request has previously succeeded CORS

## 2.13.0 (2024-08-12)

- added: `EdgeStreamTransactionOptions.spamThreshold`.
Expand Down
11 changes: 5 additions & 6 deletions src/io/react-native/react-native-worker.ts
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,8 @@ import { hideProperties } from '../hidden-properties'
import { makeNativeBridge } from './native-bridge'
import { WorkerApi, YAOB_THROTTLE_MS } from './react-native-types'

// Tracks the status of different domains for the CORS bouncer:
const hostnameCorsState = new Map<
// Tracks the status of different URIs for the CORS bouncer:
const uriCorsState = new Map<
string,
{
// The window.fetch worked:
Expand Down Expand Up @@ -179,13 +179,12 @@ async function makeIo(): Promise<EdgeIo> {
uri: string,
opts: EdgeFetchOptions = {}
): Promise<EdgeFetchResponse> {
const { hostname } = new URL(uri)
const state = hostnameCorsState.get(hostname) ?? {
const state = uriCorsState.get(uri) ?? {
windowSuccess: false,
nativeSuccess: false
}
if (!hostnameCorsState.has(hostname)) {
hostnameCorsState.set(hostname, state)
if (!uriCorsState.has(uri)) {
uriCorsState.set(uri, state)
}

// If the native fetch worked,
Expand Down

0 comments on commit e15bd6e

Please sign in to comment.