Permalink
Browse files

also disable sending Access-Control-Allow-Origin on empty URI path, p…

…reventing leakage of default.js
  • Loading branch information...
1 parent 3c65807 commit b3bcd3009ca51b4333c21f7df96ed79088b77501 @tmuellerleile tmuellerleile committed with Jul 14, 2011
Showing with 4 additions and 2 deletions.
  1. +4 −2 bin/djsd
View
@@ -23,8 +23,10 @@ dotjs = Class.new(WEBrick::HTTPServlet::AbstractServlet) do
body << File.read(file) if File.file?(file)
response.status = body.empty? ? 204 : 200
- if request.header['origin'].length == 1 and request.header['origin'][0].match(request.path.gsub('/','').gsub(/\.js$/,'') + '$')
- response['Access-Control-Allow-Origin'] = request.header['origin'][0]
+ if request.header['origin'].length == 1 and
+ request.path.length != 1 and
+ request.header['origin'][0].match(request.path.gsub('/','').gsub(/\.js$/,'') + '$')
+ response['Access-Control-Allow-Origin'] = request.header['origin'][0]
end
response['Content-Type'] = 'text/javascript'
response.body = body

0 comments on commit b3bcd30

Please sign in to comment.