forked from axios/axios
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: use URL API instead of DOM to fix a potential vulnerability warn…
…ing; (axios#6714)
- Loading branch information
1 parent
c71811b
commit 0a8d6e1
Showing
1 changed file
with
12 additions
and
65 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,67 +1,14 @@ | ||
| 'use strict'; | ||
|
|
||
| import utils from './../utils.js'; | ||
| import platform from '../platform/index.js'; | ||
|
|
||
| export default platform.hasStandardBrowserEnv ? | ||
|
|
||
| // Standard browser envs have full support of the APIs needed to test | ||
| // whether the request URL is of the same origin as current location. | ||
| (function standardBrowserEnv() { | ||
| const msie = platform.navigator && /(msie|trident)/i.test(platform.navigator.userAgent); | ||
| const urlParsingNode = document.createElement('a'); | ||
| let originURL; | ||
|
|
||
| /** | ||
| * Parse a URL to discover its components | ||
| * | ||
| * @param {String} url The URL to be parsed | ||
| * @returns {Object} | ||
| */ | ||
| function resolveURL(url) { | ||
| let href = url; | ||
|
|
||
| if (msie) { | ||
| // IE needs attribute set twice to normalize properties | ||
| urlParsingNode.setAttribute('href', href); | ||
| href = urlParsingNode.href; | ||
| } | ||
|
|
||
| urlParsingNode.setAttribute('href', href); | ||
|
|
||
| // urlParsingNode provides the UrlUtils interface - http://url.spec.whatwg.org/#urlutils | ||
| return { | ||
| href: urlParsingNode.href, | ||
| protocol: urlParsingNode.protocol ? urlParsingNode.protocol.replace(/:$/, '') : '', | ||
| host: urlParsingNode.host, | ||
| search: urlParsingNode.search ? urlParsingNode.search.replace(/^\?/, '') : '', | ||
| hash: urlParsingNode.hash ? urlParsingNode.hash.replace(/^#/, '') : '', | ||
| hostname: urlParsingNode.hostname, | ||
| port: urlParsingNode.port, | ||
| pathname: (urlParsingNode.pathname.charAt(0) === '/') ? | ||
| urlParsingNode.pathname : | ||
| '/' + urlParsingNode.pathname | ||
| }; | ||
| } | ||
|
|
||
| originURL = resolveURL(window.location.href); | ||
|
|
||
| /** | ||
| * Determine if a URL shares the same origin as the current location | ||
| * | ||
| * @param {String} requestURL The URL to test | ||
| * @returns {boolean} True if URL shares the same origin, otherwise false | ||
| */ | ||
| return function isURLSameOrigin(requestURL) { | ||
| const parsed = (utils.isString(requestURL)) ? resolveURL(requestURL) : requestURL; | ||
| return (parsed.protocol === originURL.protocol && | ||
| parsed.host === originURL.host); | ||
| }; | ||
| })() : | ||
|
|
||
| // Non standard browser envs (web workers, react-native) lack needed support. | ||
| (function nonStandardBrowserEnv() { | ||
| return function isURLSameOrigin() { | ||
| return true; | ||
| }; | ||
| })(); | ||
| export default platform.hasStandardBrowserEnv ? ((origin, isMSIE) => (url) => { | ||
| url = new URL(url, platform.origin); | ||
|
|
||
| return ( | ||
| origin.protocol === url.protocol && | ||
| origin.host === url.host && | ||
| (isMSIE || origin.port === url.port) | ||
| ); | ||
| })( | ||
| new URL(platform.origin), | ||
| platform.navigator && /(msie|trident)/i.test(platform.navigator.userAgent) | ||
| ) : () => true; |