1*edeec536SEvan Baconimport type { IncomingMessage, ServerResponse } from 'http'; 2*edeec536SEvan Bacon 3*edeec536SEvan Bacon// Like securityHeadersMiddleware but further allow cross-origin requests 4*edeec536SEvan Bacon// from https://chrome-devtools-frontend.appspot.com/ 5*edeec536SEvan Baconexport function remoteDevtoolsSecurityHeadersMiddleware( 6*edeec536SEvan Bacon req: IncomingMessage, 7*edeec536SEvan Bacon res: ServerResponse, 8*edeec536SEvan Bacon next: (err?: Error) => void 9*edeec536SEvan Bacon) { 10*edeec536SEvan Bacon // Block any cross origin request. 11*edeec536SEvan Bacon if ( 12*edeec536SEvan Bacon typeof req.headers.origin === 'string' && 13*edeec536SEvan Bacon !req.headers.origin.match(/^https?:\/\/localhost:/) && 14*edeec536SEvan Bacon !req.headers.origin.match(/^https:\/\/chrome-devtools-frontend\.appspot\.com/) 15*edeec536SEvan Bacon ) { 16*edeec536SEvan Bacon next( 17*edeec536SEvan Bacon new Error( 18*edeec536SEvan Bacon `Unauthorized request from ${req.headers.origin}. ` + 19*edeec536SEvan Bacon 'This may happen because of a conflicting browser extension to intercept HTTP requests. ' + 20*edeec536SEvan Bacon 'Please try again without browser extensions or using incognito mode.' 21*edeec536SEvan Bacon ) 22*edeec536SEvan Bacon ); 23*edeec536SEvan Bacon return; 24*edeec536SEvan Bacon } 25*edeec536SEvan Bacon 26*edeec536SEvan Bacon // Block MIME-type sniffing. 27*edeec536SEvan Bacon res.setHeader('X-Content-Type-Options', 'nosniff'); 28*edeec536SEvan Bacon 29*edeec536SEvan Bacon next(); 30*edeec536SEvan Bacon} 31