
141 lines
3.7 KiB
Raw Permalink Normal View History

2020-01-22 00:22:19 +00:00
const Koa = require("koa");
const koaStatic = require("koa-static");
const path = require("path");
const mount = require("koa-mount");
* @type function
* @param {{ host: string, port: number, middleware: any[], allowHost: string | null }} input
* @return function
module.exports = ({ host, port, middleware, allowHost }) => {
2020-01-22 00:22:19 +00:00
const assets = new Koa();
assets.use(koaStatic(path.join(__dirname, "assets")));
2020-01-22 00:22:19 +00:00
const app = new Koa();
const validHosts = [];
// All non-GET requests must have a path that doesn't start with `/blob/`.
const isValidRequest = (request) => {
// All requests must use our hostname to prevent DNS rebind attacks.
if (validHosts.includes(request.hostname) !== true) {
console.log(`Invalid HTTP hostname: ${request.hostname}`);
return false;
// All non-GET requests must ...
if (request.method !== "GET") {
// ...have a referer...
if (request.header.referer == null) {
console.log("No referer");
return false;
try {
const refererUrl = new URL(request.header.referer);
// ...with a valid hostname...
if (validHosts.includes(refererUrl.hostname) !== true) {
console.log(`Invalid referer hostname: ${refererUrl.hostname}`);
return false;
// ...and must not originate from a blob path.
if (refererUrl.pathname.startsWith("/blob/")) {
console.log(`Invalid referer path: ${refererUrl.pathname}`);
return false;
} catch (e) {
console.log(`Invalid referer URL: ${request.header.referer}`);
return false;
// If all of the above checks pass, this is a valid request.
return true;
app.on("error", (err, ctx) => {
// Output full error objects
// Avoid printing errors for invalid requests.
if (isValidRequest(ctx.request)) {
err.message = err.stack;
err.expose = true;
2020-01-22 00:22:19 +00:00
return null;
2020-01-22 00:22:19 +00:00
app.use(mount("/assets", assets));
// headers
app.use(async (ctx, next) => {
const csp = [
2020-01-22 00:22:19 +00:00
"default-src 'none'",
"img-src 'self'",
"form-action 'self'",
"media-src 'self'",
"style-src 'self'",
2020-01-22 00:22:19 +00:00
].join("; ");
// Disallow scripts.
2020-01-22 00:22:19 +00:00
ctx.set("Content-Security-Policy", csp);
// Disallow <iframe> embeds from other domains.
2020-01-22 00:22:19 +00:00
ctx.set("X-Frame-Options", "SAMEORIGIN");
const isBlobPath = ctx.path.startsWith("/blob/");
if (isBlobPath === false) {
// Disallow browsers overwriting declared media types.
// This should only happen on non-blob URLs.
// See: https://github.com/fraction/oasis/issues/138
ctx.set("X-Content-Type-Options", "nosniff");
// Disallow sharing referrer with other domains.
2020-01-22 00:22:19 +00:00
ctx.set("Referrer-Policy", "same-origin");
// Disallow extra browser features except audio output.
2020-01-22 00:22:19 +00:00
ctx.set("Feature-Policy", "speaker 'self'");
const validHostsString = validHosts.join(" or ");
`Request must be addressed to ${validHostsString} and non-GET requests must contain non-blob referer.`
await next();
2020-01-22 00:22:19 +00:00
middleware.forEach((m) => app.use(m));
const server = app.listen({ host, port });
server.on("listening", () => {
const address = server.address();
if (typeof address === "string") {
// This shouldn't happen, but TypeScript was complaining about it.
throw new Error("HTTP server should never bind to Unix socket");
if (allowHost !== null) {
if (validHosts.includes(host) === false) {
return server;
2020-01-22 00:22:19 +00:00