Skip to content

Allow cookies from all subdomains #834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Allow cookies from all subdomains #834

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 13 additions & 6 deletions lib/models/solid-host.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,12 +72,14 @@ class SolidHost {
allowsSessionFor (userId, origin) {
// Allow no user or an empty origin
if (!userId || !origin) return true
// Allow the server's main domain
if (origin === this.serverUri) return true
// Allow the user's subdomain
const userIdHost = userId.replace(/([^:/])\/.*/, '$1')
if (origin === userIdHost) return true
// Disallow everything else
// Allow the server and subdomains
const originHost = getHostName(origin)
const serverHost = getHostName(this.serverUri)
if (originHost === serverHost) return true
if (originHost.endsWith('.' + serverHost)) return true
// Allow the user's own domain
const userHost = getHostName(userId)
if (originHost === userHost) return true
return false
}

Expand Down Expand Up @@ -109,4 +111,9 @@ class SolidHost {
}
}

function getHostName (url) {
const match = url.match(/^\w+:\/*([^/]+)/)
return match ? match[1] : ''
}

module.exports = SolidHost
14 changes: 7 additions & 7 deletions test/unit/solid-host-test.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,23 +55,23 @@ describe('SolidHost', () => {
})

it('should allow a userId with empty origin', () => {
expect(host.allowsSessionFor('https://user.test.local/profile/card#me', '')).to.be.true
expect(host.allowsSessionFor('https://user.own/profile/card#me', '')).to.be.true
})

it('should allow a userId with the user subdomain as origin', () => {
expect(host.allowsSessionFor('https://user.test.local/profile/card#me', 'https://user.test.local')).to.be.true
expect(host.allowsSessionFor('https://user.own/profile/card#me', 'https://user.own')).to.be.true
})

it('should disallow a userId with another subdomain as origin', () => {
expect(host.allowsSessionFor('https://user.test.local/profile/card#me', 'https://other.test.local')).to.be.false
it('should allow a userId with the server domain as origin', () => {
expect(host.allowsSessionFor('https://user.own/profile/card#me', 'https://test.local')).to.be.true
})

it('should allow a userId with the server domain as origin', () => {
expect(host.allowsSessionFor('https://user.test.local/profile/card#me', 'https://test.local')).to.be.true
it('should allow a userId with a server subdomain as origin', () => {
expect(host.allowsSessionFor('https://user.own/profile/card#me', 'https://other.test.local')).to.be.true
})

it('should disallow a userId from a different domain', () => {
expect(host.allowsSessionFor('https://user.test.local/profile/card#me', 'https://other.remote')).to.be.false
expect(host.allowsSessionFor('https://user.own/profile/card#me', 'https://other.remote')).to.be.false
})
})

Expand Down