overleaf · timdown · Jan 31, 2025 · Jan 31, 2025 · Jan 24, 2025 · Seinzu
diff --git a/History.md b/History.md
@@ -1,3 +1,11 @@
+0.9.19-overleaf-11 / 2025-01-24
+===============================
+
+* Overleaf: Overhaul origins option to allow a regex, function, string or boolean, or an array of any mix of these
+* Overleaf: Change origins option default to disallow any origin
+* Overleaf: Remove htmlfile transport
+* Overleaf: Remove flashsocket transport
+
 0.9.19-overleaf-10 / 2023-04-25
 ===============================
 

diff --git a/Readme.md b/Readme.md
@@ -329,7 +329,7 @@ Configuration in socket.io is TJ-style:
 var io = require('socket.io').listen(80);
 
 io.configure(function () {
-  io.set('transports', ['websocket', 'flashsocket', 'xhr-polling']);
+  io.set('transports', ['websocket', 'xhr-polling']);
 });
 
 io.configure('development', function () {

diff --git a/lib/manager.js b/lib/manager.js
@@ -34,7 +34,6 @@ exports = module.exports = Manager;
 
 var defaultTransports = exports.defaultTransports = [
     'websocket'
-  , 'htmlfile'
   , 'xhr-polling'
   , 'jsonp-polling'
 ];
@@ -60,7 +59,7 @@ function Manager (server, options) {
   this.namespaces = {};
   this.sockets = this.of('');
   this.settings = {
-      origins: '*:*'
+      origins: []
     , log: true
     , store: new MemoryStore
     , logger: new Logger
@@ -76,8 +75,6 @@ function Manager (server, options) {
     , 'heartbeat interval': 25
     , 'heartbeat timeout': 60
     , 'polling duration': 20
-    , 'flash policy server': true
-    , 'flash policy port': 10843
     , 'destroy upgrade': true
     , 'destroy buffer size': 10E7
     , 'browser client': true
@@ -873,40 +870,45 @@ Manager.prototype.handshakeData = function (data, connection) {
   };
 };
 
+function isString(s) {
+  return typeof s === 'string' || s instanceof String;
+}
+
+// Adapted from Express's CORS module
+// (https://github.com/expressjs/cors/blob/1cfb3709dec33dfa7ae95a3a554f2dd10498c7f9/lib/index.js)
+Manager.prototype.isOriginAllowed = function (origin) {
+  var allowedOrigin = this.get('origins');
+  if (typeof allowedOrigin === 'function') {
+    return allowedOrigin(origin);
+  } else if (Array.isArray(allowedOrigin)) {
+    for (var i = 0; i < allowedOrigin.length; ++i) {
+      if (this.isOriginAllowed(origin, allowedOrigin[i])) {
+        return true;
+      }
+    }
+    return false;
+  } else if (isString(allowedOrigin)) {
+    return allowedOrigin === '*' || origin === allowedOrigin;
+  } else if (allowedOrigin instanceof RegExp) {
+    return allowedOrigin.test(origin);
+  } else {
+    return !!allowedOrigin;
+  }
+};
+
 /**
  * Verifies the origin of a request.
  *
  * @api private
  */
 
 Manager.prototype.verifyOrigin = function (request) {
-  var origin = request.headers.origin || request.headers.referer
-    , origins = this.get('origins');
-
-  if (origin === 'null') origin = '*';
-
-  if (origins.indexOf('*:*') !== -1) {
-    return true;
+  var origin = request.headers.origin || request.headers.referer;
+  var allowed = this.isOriginAllowed(origin);
+  if (!origin && !allowed) {
+    this.log.warn('origin missing from handshake, yet required by config', { headers: request.headers });
   }
-
-  if (origin) {
-    try {
-      var parts = url.parse(origin);
-      parts.port = parts.port || 80;
-      var ok =
-        ~origins.indexOf(parts.hostname + ':' + parts.port) ||
-        ~origins.indexOf(parts.hostname + ':*') ||
-        ~origins.indexOf('*:' + parts.port);
-      if (!ok) this.log.warn('illegal origin: ' + origin);
-      return ok;
-    } catch (ex) {
-      this.log.warn('error parsing origin');
-    }
-  }
-  else {
-    this.log.warn('origin missing from handshake, yet required by config');
-  }
-  return false;
+  return allowed;
 };
 
 /**

diff --git a/lib/transports/flashsocket.js b/lib/transports/flashsocket.js
diff --git a/lib/transports/htmlfile.js b/lib/transports/htmlfile.js
diff --git a/lib/transports/index.js b/lib/transports/index.js
@@ -5,8 +5,6 @@
 
 module.exports = {
     websocket: require('./websocket')
-  , flashsocket: require('./flashsocket')
-  , htmlfile: require('./htmlfile')
   , 'xhr-polling': require('./xhr-polling')
   , 'jsonp-polling': require('./jsonp-polling')
 };
diff --git a/lib/transports/websocket/hybi-07-12.js b/lib/transports/websocket/hybi-07-12.js
@@ -155,32 +155,11 @@ WebSocket.prototype.onSocketConnect = function () {
  */
 
 WebSocket.prototype.verifyOrigin = function (origin) {
-  var origins = this.manager.get('origins');
-
-  if (origin === 'null') origin = '*';
-
-  if (origins.indexOf('*:*') !== -1) {
-    return true;
-  }
-
-  if (origin) {
-    try {
-      var parts = url.parse(origin);
-      parts.port = parts.port || 80;
-      var ok =
-        ~origins.indexOf(parts.hostname + ':' + parts.port) ||
-        ~origins.indexOf(parts.hostname + ':*') ||
-        ~origins.indexOf('*:' + parts.port);
-      if (!ok) this.log.warn('illegal origin: ' + origin);
-      return ok;
-    } catch (ex) {
-      this.log.warn('error parsing origin');
-    }
-  }
-  else {
-    this.log.warn('origin missing from websocket call, yet required by config');        
+  var allowed = this.manager.isOriginAllowed(origin);
+  if (!origin && !allowed) {
+    this.log.warn('origin missing from websocket call, yet required by config', { headers: this.req.headers });
   }
-  return false;
+  return allowed;
 };
 
 /**