[英]Cloudflare worker strips headers
我正在尝试将我的 CORS 检查器应用程序从 heroku 迁移到 cloudflare workers,因为它似乎非常适合我的用例。
heroku 应用程序使用 axios 向网站请求选项调用,以查看是否有带有 x-frame-options 的标题。 如果是这样,我检查它是否被拒绝,并在 REST 响应中将其作为 boolean 值返回。
这听起来很简单,但我无法让它在 cloudflare workers 上运行。 我是否正确地假设 cloudflare 正在剥离这些标头并且没有办法让它与 cloudflare worker 一起工作?
这是完整的工人代码
// node_modules/itty-router/dist/itty-router.mjs
var e = ({ base: e2 = "", routes: r = [] } = {}) => ({ __proto__: new Proxy({}, { get: (a, o, t) => (a2, ...p) => r.push([o.toUpperCase(), RegExp(`^${(e2 + a2).replace(/(\/?)\*/g, "($1.*)?").replace(/(\/$)|((?<=\/)\/)/, "").replace(/(:(\w+)\+)/, "(?<$2>.*)").replace(/:(\w+)(\?)?(\.)?/g, "$2(?<$1>[^/]+)$2$3").replace(/\.(?=[\w(])/, "\\.").replace(/\)\.\?\(([^\[]+)\[\^/g, "?)\\.?($1(?<=\\.)[^\\.")}/*$`), p]) && t }), routes: r, async handle(e3, ...a) {
let o, t, p = new URL(e3.url), l = e3.query = {};
for (let [e4, r2] of p.searchParams)
l[e4] = void 0 === l[e4] ? r2 : [l[e4], r2].flat();
for (let [l2, s, c] of r)
if ((l2 === e3.method || "ALL" === l2) && (t = p.pathname.match(s))) {
e3.params = t.groups || {};
for (let r2 of c)
if (void 0 !== (o = await r2(e3.proxy || e3, ...a)))
return o;
}
} });
// src/index.ts
var router = e();
var corsHeaders = {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET,HEAD,POST,OPTIONS",
"Access-Control-Max-Age": "86400"
};
function jsonResponse(body) {
return new Response(JSON.stringify(body), {
status: 200,
headers: {
"Content-Type": "application/json",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload"
}
});
}
function handleOptions(request) {
let headers = request.headers;
if (headers.get("Origin") !== null && headers.get("Access-Control-Request-Method") !== null && headers.get("Access-Control-Request-Headers") !== null) {
let respHeaders = {
...corsHeaders,
"Access-Control-Allow-Headers": request.headers.get("Access-Control-Request-Headers")
};
return new Response(null, {
headers: respHeaders
});
} else {
return new Response(null, {
headers: {
Allow: "GET, HEAD, POST, OPTIONS"
}
});
}
}
router.options("/test-cors", async function(request) {
return handleOptions(request);
});
router.post("/test-cors", async function(request) {
const url = request.body.url;
const externalRequest = new Request(url, { method: "head" });
try {
let response = await fetch(externalRequest);
if (response.headers.get("x-frame-options") !== null) {
const frameOptionsValue = response.headers.get("x-frame-options");
if (frameOptionsValue === "SAMEORIGIN") {
return jsonResponse({ canAccess: false });
} else {
return jsonResponse({ canAccess: true });
}
} else {
return jsonResponse({ canAccess: true });
}
} catch (error) {
console.error(error);
if (error.code === "ENOTFOUND" || error.response.status === 404) {
return jsonResponse({ canAccess: false, reason: "NOT_FOUND" });
} else {
return jsonResponse({ canAccess: false });
}
}
});
router.all("*", (request, args) => {
return new Response("Not Found", {
status: 404,
headers: {
"Content-Type": "text/html; charset=utf-8",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload"
}
});
});
var src_default = {
async fetch(request, env, ctx) {
return router.handle(request);
}
};
export {
src_default as default
};
//# sourceMappingURL=index.js.map
因此,我与该功能背后的开发人员进行了交谈,结果发现我试图针对 header 测试的网站针对调用 IP 设置了不同的行为。
由于编辑器从您的浏览器运行 fetch,因此 IP 不同并且不会触发该效果。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.