Files

 master

/

pmxdr-host.js

Blame

Blame

Latest commit

 

History

History

384 lines (315 loc) · 12.3 KB

 master

/

pmxdr-host.js

Top

File metadata and controls

• Code
• Blame

384 lines (315 loc) · 12.3 KB

Raw

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

/**

* pmxdr host v0.0.6

* postMessage Cross-Domain Requester host library

* http://code.eligrey.com/pmxdr/host/

*

* By Eli Grey, http://eligrey.com

*

* Simple cross-site HTTP requesting using the postMessage API

*

* License: MIT Licence

*/

/*! @source http://purl.eligrey.com/github/pmxdr/blob/master/pmxdr-host.js*/

/* example alwaysTrustedOrigins settings:

var alwaysTrustedOrigins = [

// any origin on any protocol that has a domain that ends in eligrey.com

/^[\w-]+:(?:\/\/)?(?:[\w\.-]+\.)?eligrey\.com(?::\d+)?$/,

// only http://www.google.com is allowed,

// not http://foo.google.com:30 or http://google.com

"http://www.google.com",

// Allow http and https from example.com and *.example.com

/^https?:\/\/([\w\.-]+\.)?example\.com$/

];

*/

/* The following code blocks implement JSON.parse as pulled from

* https://code.google.com/p/json-sans-eval/

* because it's safer than using eval() and JSON.stringify from json2.js in

* https://github.com/douglascrockford/JSON-js

* The code's been minified. If you don't trust these sections of code,

* replace them with your own JSON.parse and JSON.stringify.

*/

if (typeof JSON !== 'object') {

this.JSON = {};

}

/*jslint evil:true*/ // Get around jslint's warning about eval

if (!JSON.parse) {

eval('JSON.parse=function(){function e(e,r,t){return r?i[r]:String.fromCharCode(parseInt(t,16))}var r="(?:-?\\\\b(?:0|[1-9][0-9]*)(?:\\\\.[0-9]+)?(?:[eE][+-]?[0-9]+)?\\\\b)",t=\'(?:[^\\\\0-\\\\x08\\\\x0a-\\\\x1f"\\\\\\\\]|\\\\\\\\(?:["/\\\\\\\\bfnrt]|u[0-9A-Fa-f]{4}))\';t=\'(?:"\'+t+\'*")\';var a=RegExp("(?:false|true|null|[\\\\{\\\\}\\\\[\\\\]]|"+r+"|"+t+")","g"),n=RegExp("\\\\\\\\(?:([^u])|u(.{4}))","g"),i={\'"\':\'"\',"/":"/","\\\\":"\\\\",b:"\\b",f:"\\f",n:"\\n",r:"\\r",t:" "},f=new String(""),l=Object.hasOwnProperty;return function(r,t){r=r.match(a);var i,o=r[0],h=!1;"{"===o?i={}:"["===o?i=[]:(i=[],h=!0);for(var s,c=[i],u=1-h,g=r.length;g>u;++u){o=r[u];var v;switch(o.charCodeAt(0)){default:v=c[0],v[s||v.length]=+o,s=void 0;break;case 34:if(o=o.substring(1,o.length-1),-1!==o.indexOf("\\\\")&&(o=o.replace(n,e)),v=c[0],!s){if(!(v instanceof Array)){s=o||f;break}s=v.length}v[s]=o,s=void 0;break;case 91:v=c[0],c.unshift(v[s||v.length]=[]),s=void 0;break;case 93:c.shift();break;case 102:v=c[0],v[s||v.length]=!1,s=void 0;break;case 110:v=c[0],v[s||v.length]=null,s=void 0;break;case 116:v=c[0],v[s||v.length]=!0,s=void 0;break;case 123:v=c[0],c.unshift(v[s||v.length]={}),s=void 0;break;case 125:c.shift()}}if(h){if(1!==c.length)throw Error();i=i[0]}else if(c.length)throw Error();if(t){var b=function(e,r){var a=e[r];if(a&&"object"==typeof a){var n=null;for(var i in a)if(l.call(a,i)&&a!==e){var f=b(a,i);void 0!==f?a[i]=f:(n||(n=[]),n.push(i))}if(n)for(i=n.length;--i>=0;)delete a[n[i]]}return t.call(e,r,a)};i=b({"":i},"")}return i}}();');

}

if (!JSON.stringify) {

eval('(function(){function t(t){return 10>t?"0"+t:t}function e(t){return u.lastIndex=0,u.test(t)?\'"\'+t.replace(u,function(t){var e=i[t];return"string"==typeof e?e:"\\\\u"+("0000"+t.charCodeAt(0).toString(16)).slice(-4)})+\'"\':\'"\'+t+\'"\'}function n(t,u){var i,p,s,c,l,a=o,y=u[t];switch(y&&"object"==typeof y&&"function"==typeof y.toJSON&&(y=y.toJSON(t)),"function"==typeof f&&(y=f.call(u,t,y)),typeof y){case"string":return e(y);case"number":return isFinite(y)?y+"":"null";case"boolean":case"null":return y+"";case"object":if(!y)return"null";if(o+=r,l=[],"[object Array]"===Object.prototype.toString.apply(y)){for(c=y.length,i=0;c>i;i+=1)l[i]=n(i,y)||"null";return s=0===l.length?"[]":o?"[\\n"+o+l.join(",\\n"+o)+"\\n"+a+"]":"["+l.join(",")+"]",o=a,s}if(f&&"object"==typeof f)for(c=f.length,i=0;c>i;i+=1)"string"==typeof f[i]&&(p=f[i],s=n(p,y),s&&l.push(e(p)+(o?": ":":")+s));else for(p in y)Object.prototype.hasOwnProperty.call(y,p)&&(s=n(p,y),s&&l.push(e(p)+(o?": ":":")+s));return s=0===l.length?"{}":o?"{\\n"+o+l.join(",\\n"+o)+"\\n"+a+"}":"{"+l.join(",")+"}",o=a,s}}"function"!=typeof Date.prototype.toJSON&&(Date.prototype.toJSON=function(){return isFinite(this.valueOf())?this.getUTCFullYear()+"-"+t(this.getUTCMonth()+1)+"-"+t(this.getUTCDate())+"T"+t(this.getUTCHours())+":"+t(this.getUTCMinutes())+":"+t(this.getUTCSeconds())+"Z":null},String.prototype.toJSON=Number.prototype.toJSON=Boolean.prototype.toJSON=function(){return this.valueOf()});var o,r,f,u=/[\\\\\\"\\x00-\\x1f\\x7f-\\x9f\\u00ad\\u0600-\\u0604\\u070f\\u17b4\\u17b5\\u200c-\\u200f\\u2028-\\u202f\\u2060-\\u206f\\ufeff\\ufff0-\\uffff]/g,i={"\\b":"\\\\b"," ":"\\\\t","\\n":"\\\\n","\\f":"\\\\f","\\r":"\\\\r",\'"\':\'\\\\"\',"\\\\":"\\\\\\\\"};JSON.stringify=function(t,e,u){var i;if(o="",r="","number"==typeof u)for(i=0;u>i;i+=1)r+=" ";else"string"==typeof u&&(r=u);if(f=e,e&&"function"!=typeof e&&("object"!=typeof e||"number"!=typeof e.length))throw Error("JSON.stringify");return n("",{"":t})}})();');

}

/*jslint evil:false*/

/*global Event, window, XMLHttpRequest*/

(function (undef) {

'use strict';

var alwaysTrustedOrigins;

alwaysTrustedOrigins = [

// Add any origins here that are always trusted.

// Can be exact strings or regular expressions.

];

/**

* Clean a header response

*

* Trim and remove ALL whitespace. This is because either we want

* one value or we want a list separated by commas and optional

* whitespace.

*

* @param string dirty

* @return string clean

*/

function cleanHeader(dirty) {

if (typeof dirty !== "string") {

return "";

}

var clean;

clean = dirty.replace(/[ \n\r\t]/g, '').toUpperCase();

return clean;

}

/**

* Return an object of all headers

*

* @param XMLHttpRequest request

* @return Object

*/

function getAllHeaders(request) {

var headers, header, i, responseHeaders;

headers = {};

responseHeaders = request.getAllResponseHeaders().split(/\r?\n/);

for (i = 0; i < responseHeaders.length; i += 1) {

header = responseHeaders[i].split(": ");

headers[header[0].toLowerCase()] = header[1];

}

return headers;

}

/**

* Gets a single header from a response

*

* This can throw in rare instances, thus the try/catch block

*

* @param XMLHttpRequest request

* @return object

*/

function getHeader(request, name) {

try {

return request.getResponseHeader(name);

} catch (e) {

return '';

}

}

/**

* Gets headers that are related to CORS checks

*

* @param XMLHttpRequest request

* @return object

*/

function getCorsHeaders(request) {

return {

origin: getHeader(request, 'Access-Control-Allow-Origin'),

methods: getHeader(request, 'Access-Control-Allow-Methods')

};

}

/**

* Determine if a given method is allowed

*

* @param string method

* @param string headerValue What the server allows

* @return boolean

*/

function isAllowedMethod(method, headerValue) {

headerValue = cleanHeader(headerValue);

if (!headerValue || headerValue === '*') {

return true;

}

// Make the list start and end with commas as delimiters

headerValue = ',' + headerValue + ',';

// Try to match ,METHOD, in our list of ,ALLOWED,METHODS,

if (headerValue.indexOf(',' + method + ',') !== -1) {

return true;

}

return false;

}

/**

* See if an origin is whitelisted by this library

*

* @param string origin

* @return boolean

*/

function isAlwaysTrusted(origin) {

var i, isTrusted;

for (i = 0; i < alwaysTrustedOrigins.length; i += 1) {

if (alwaysTrustedOrigins[i] instanceof RegExp) {

// Match the regular expression

isTrusted = alwaysTrustedOrigins[i].test(origin);

} else if (typeof alwaysTrustedOrigins[i] === "string") {

// Exact string matching

isTrusted = (origin === alwaysTrustedOrigins[i]);

}

if (isTrusted) {

return true;

}

}

return false;

}

/**

* Checks if the origin is always trusted or if it matches the

* response header's allowed origin.

*

* @param string origin

* @param string headerValue

* @return boolean

*/

function isTrustedOrigin(origin, headerValue) {

origin = origin.toUpperCase();

if (isAlwaysTrusted(origin)) {

return true;

}

headerValue = cleanHeader(headerValue);

if (headerValue === '*' || headerValue === origin) {

return true;

}

return false;

}

/**

* Make a request to the server

*

* @param string method

* @param string uri

* @param Object headers

* @param string data Optional data to send

* @param Function callback Callback to call when done, callback(request)

* @return XMLHttpRequest

*/

function makeRequest(method, uri, headers, data, callback) {

var header, request;

request = new XMLHttpRequest();

request.open(method, uri, true);

if (headers) {

for (header in headers) {

if (headers.hasOwnProperty(header)) {

request.setRequestHeader(header, headers[header]);

}

}

}

if (typeof data === "string") {

request.send(data);

} else {

request.send(null);

}

if (callback) {

request.onreadystatechange = function () {

if (request.readyState !== 4) {

return;

}

callback(request);

};

}

return request;

}

// Opera 9.x postMessage fix (only for http:, not https:)

if (window.opera !== undef) {

if (parseInt(window.opera.version(), 10) === 9) {

/*jslint nomen:true*/

Event.prototype.__defineGetter__("origin", function () {

return "http://" + this.domain;

});

/*jslint nomen:false*/

}

}

function pmxdrRequestHandler(evt) {

var data, optionsCorsHeaders, origin, source, reply;

function sendReply(response) {

source.postMessage(JSON.stringify(response), origin);

}

function replyError(code) {

reply.error = code;

sendReply(reply);

}

function handleResponse(request) {

var corsHeaders;

if (request.readyState !== 4) {

return;

}

reply.status = request.status;

reply.statusText = request.statusText;

if (!request.status) {

// Error loading the requested resource

replyError('LOAD_ERROR');

return;

}

// Handle IE's status code 1223 - see note below

if (request.status === 1223) {

reply.status = 204;

reply.statusText = 'No Content';

corsHeaders = optionsCorsHeaders;

} else {

corsHeaders = getCorsHeaders(request);

}

if (!isTrustedOrigin(origin, corsHeaders.origin)) {

// The host was not allowed to request the resource

replyError('DISALLOWED_ORIGIN');

return;

}

if (!isAllowedMethod(data.method, corsHeaders.methods)) {

// The request method was not allowed

replyError('DISALLOWED_REQUEST_METHOD');

return;

}

reply.data = request.responseText;

reply.headers = getAllHeaders(request);

sendReply(reply);

}

// evt gets removed by IE quickly. We lose its information

// unless we copy it to local variables.

source = evt.source;

origin = evt.origin;

// Decode the JSON data from the event

try {

data = JSON.parse(evt.data);

} catch (e) {

return;

}

// Only handle pmxdr requests

if (typeof data !== 'object' || data.pmxdr !== true) {

return;

}

reply = {

pmxdr: true

};

if (data.id !== undef) {

reply.id = data.id;

}

if (typeof data.method === "string") {

data.method = data.method.toUpperCase();

}

/* Internet Explorer <= 9 may report a status code of 1223 when

* there is a 204 No Content reply. When that happens, the headers

* are not accessible and thus we can not check to see if the

* request is allowed via CORS.

*

* To combat this problem we issue an OPTIONS call. If we use OPTIONS

* after our request, we may get the wrong results. If a resource

* was deleted and we use OPTIONS on the deleted resource, we should

* properly get a 404 error or similar. So the OPTIONS call must

* happen first.

*

* Issue an OPTIONS request first. Then issue our real request.

* If that returns with a status code of 1223, handle IE's quirk

* and use the headers from the OPTIONS call for CORS.

*/

makeRequest('OPTIONS', data.uri, data.headers, null, function (optionsRequest) {

optionsCorsHeaders = getCorsHeaders(optionsRequest);

if (data.method === 'OPTIONS') {

handleResponse(optionsRequest);

return;

}

makeRequest(data.method, data.uri, data.headers, data.data, handleResponse);

});

}

if (window.addEventListener) {

window.addEventListener("message", pmxdrRequestHandler, false); // normal browsers

} else if (window.attachEvent) {

window.attachEvent("onmessage", pmxdrRequestHandler); // IE

}

// Expose to browser for testing

window.pmxdrRequestHandler = pmxdrRequestHandler;

}());