rejectNoCorsRequest.ts — vite Source File

Architecture documentation for rejectNoCorsRequest.ts, a typescript file in the vite codebase. 1 imports, 1 dependents.

File typescript ViteCore ConfigEngine 1 imports 1 dependents 1 functions

Entity Profile

ViteCore→ ConfigEngine→ rejectNoCorsRequest.ts — vite Source File

Dependency Diagram

graph LR
  9f34ee4d_41ed_f961_b44b_324bb9f1ea7a["rejectNoCorsRequest.ts"]
  9165291b_077b_bedb_8c23_36e44bc99390["connect"]
  9f34ee4d_41ed_f961_b44b_324bb9f1ea7a --> 9165291b_077b_bedb_8c23_36e44bc99390
  a423a1ed_f7d8_0eb5_9b8f_ddfa7fa8147e["index.ts"]
  a423a1ed_f7d8_0eb5_9b8f_ddfa7fa8147e --> 9f34ee4d_41ed_f961_b44b_324bb9f1ea7a
  style 9f34ee4d_41ed_f961_b44b_324bb9f1ea7a fill:#6366f1,stroke:#818cf8,color:#fff

Relationship Graph

Source Code

import type { Connect } from '#dep-types/connect'

/**
 * A middleware that rejects no-cors mode requests that are not same-origin.
 *
 * We should avoid untrusted sites to load the script to avoid attacks like GHSA-4v9v-hfq4-rm2v.
 * This is because:
 * - the path of HMR patch files / entry point files can be predictable
 * - the HMR patch files may not include ESM syntax
 *   (if they include ESM syntax, loading as a classic script would fail)
 * - the HMR runtime in the browser has the list of all loaded modules
 *
 * https://github.com/webpack/webpack-dev-server/security/advisories/GHSA-4v9v-hfq4-rm2v
 * https://green.sapphi.red/blog/local-server-security-best-practices#_2-using-xssi-and-modifying-the-prototype
 * https://green.sapphi.red/blog/local-server-security-best-practices#properly-check-the-request-origin
 */
export function rejectNoCorsRequestMiddleware(): Connect.NextHandleFunction {
  // Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
  return function viteRejectNoCorsRequestMiddleware(req, res, next) {
    // While we can set Cross-Origin-Resource-Policy header instead of rejecting requests,
    // we choose to reject the request to be safer in case the request handler has any side-effects.
    if (
      req.headers['sec-fetch-mode'] === 'no-cors' &&
      req.headers['sec-fetch-site'] !== 'same-origin' &&
      // we only need to block classic script requests
      req.headers['sec-fetch-dest'] === 'script'
    ) {
      res.statusCode = 403
      res.end(
        'Cross-origin requests for classic scripts must be made with CORS mode enabled. Make sure to set the "crossorigin" attribute on your <script> tag.',
      )
      return
    }
    return next()
  }
}

Domain

ViteCore

Subdomains

ConfigEngine

Functions

rejectNoCorsRequestMiddleware()

Dependencies

connect

Imported By

packages/vite/src/node/server/index.ts

Source

View on GitHub

Frequently Asked Questions

What does rejectNoCorsRequest.ts do?

rejectNoCorsRequest.ts is a source file in the vite codebase, written in typescript. It belongs to the ViteCore domain, ConfigEngine subdomain.

What functions are defined in rejectNoCorsRequest.ts?

rejectNoCorsRequest.ts defines 1 function(s): rejectNoCorsRequestMiddleware.

What does rejectNoCorsRequest.ts depend on?

rejectNoCorsRequest.ts imports 1 module(s): connect.

What files import rejectNoCorsRequest.ts?

rejectNoCorsRequest.ts is imported by 1 file(s): index.ts.

Where is rejectNoCorsRequest.ts in the architecture?

rejectNoCorsRequest.ts is located at packages/vite/src/node/server/middlewares/rejectNoCorsRequest.ts (domain: ViteCore, subdomain: ConfigEngine, directory: packages/vite/src/node/server/middlewares).

Analyze Your Own Codebase

Get architecture documentation, dependency graphs, and domain analysis for your codebase in minutes.

Try Supermodel Free