feat: add wildcard support to trusted-origins (#7697)

2026-04-13 21:32:52 -05:00 · 2026-03-25 15:04:06 -04:00
parent d544846caa
commit 4d615f18a9
2 changed files with 63 additions and 2 deletions
--- a/src/node/http.ts
+++ b/src/node/http.ts
@@ -351,6 +351,25 @@ export function ensureOrigin(req: express.Request, _?: express.Response, next?:
  }
 }

+/**
+ * Return true if the origin matches any trusted origin.  Entries are matched
+ * as exact strings, the special wildcard `"*"`, or `*.example.com`-style
+ * domain wildcards (same as --proxy-domain).
+ */
+export function isTrustedOrigin(origin: string, trustedOrigins: string[]): boolean {
+  return trustedOrigins.some((trusted) => {
+    if (trusted === "*" || trusted === origin) {
+      return true
+    }
+    // *.example.com style: match origin if it is the domain or a subdomain
+    if (trusted.startsWith("*.")) {
+      const domain = trusted.slice(2).toLowerCase()
+      return origin === domain || origin.endsWith("." + domain)
+    }
+    return false
+  })
+}
+
 /**
 * Authenticate the request origin against the host.  Throw if invalid.
 */
@@ -370,7 +389,7 @@ export function authenticateOrigin(req: express.Request): void {
  }

  const trustedOrigins = req.args["trusted-origins"] || []
-  if (trustedOrigins.includes(origin) || trustedOrigins.includes("*")) {
+  if (isTrustedOrigin(origin, trustedOrigins)) {
    return
  }