Skip to content

Commit b075354

Browse files
cmbuckleycmbuckley
committed
Avoid parsing body of Netlify pages
1 parent e4c46e2 commit b075354

1 file changed

Lines changed: 14 additions & 5 deletions

File tree

_cf/security-headers/index.js

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,12 @@ async function handleRequest(req) {
115115
return addSecurity(req, requestUrl)
116116
}
117117

118+
if (match = requestUrl.hostname.match(/^cv-(staging|role)-([^.]+)\./)) {
119+
const type = (match[1] == 'staging' ? 'deploy-preview' : 'role')
120+
requestUrl.hostname = `${type}-${match[2]}--cmbuckley-cv.netlify.app`
121+
return addSecurity(req, requestUrl)
122+
}
123+
118124
if (req.method == 'POST' && requestUrl.hostname == 'cmbuckley.co.uk') {
119125
requestUrl.hostname = 'cmbuckley.netlify.app'
120126
return addSecurity(req, requestUrl)
@@ -126,7 +132,7 @@ async function handleRequest(req) {
126132
return Response.redirect(dest, 302)
127133
}
128134

129-
if (requestUrl.hostname.match(/scripts\.cmbuckley\.co\.uk$/)) {
135+
if (requestUrl.hostname.endsWith('scripts.cmbuckley.co.uk')) {
130136
return await fetch(req)
131137
}
132138

@@ -136,7 +142,7 @@ async function handleRequest(req) {
136142
async function addSecurity(req, url) {
137143
const response = await fetch(url || req.url, req)
138144
const newHdrs = new Headers(response.headers)
139-
const body = (req.method == 'POST' && url && !response.ok ? '' : response.body);
145+
let body = (req.method == 'POST' && url && !response.ok ? '' : response.body);
140146

141147
if (newHdrs.has('Content-Type') && !newHdrs.get('Content-Type').includes('text/html')) {
142148
return new Response(body, {
@@ -147,8 +153,6 @@ async function addSecurity(req, url) {
147153
}
148154

149155
const setHeaders = Object.assign({}, getSecurityHeaders(req), sanitiseHeaders)
150-
const newBody = (await response.text()).replace(/nonce=""/gm, `nonce="${nonce}"`)
151-
152156
Object.keys(setHeaders).forEach(name => {
153157
if (!trustOrigin.includes(name) || !newHdrs.has(name)) {
154158
newHdrs.set(name, setHeaders[name])
@@ -159,7 +163,12 @@ async function addSecurity(req, url) {
159163
newHdrs.delete(name)
160164
})
161165

162-
return new Response(newBody, {
166+
// only parse the body for non-altered URLs
167+
if (!url) {
168+
body = (await response.text()).replace(/nonce=""/gm, `nonce="${nonce}"`)
169+
}
170+
171+
return new Response(body, {
163172
status: response.status,
164173
statusText: response.statusText,
165174
headers: newHdrs

0 commit comments

Comments
 (0)