restrict req.backend to a config origin

mozilla-services · Apr 11, 2017 · ef9c296 · ef9c296
1 parent c8e5998
commit ef9c296
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/server/src/server.js b/server/src/server.js
@@ -256,7 +256,8 @@ app.use(function (req, res, next) {
     }
   }
   req.abTests = authInfo.abTests || {};
-  req.backend = `${req.protocol}://${req.headers.host}`;
+  const host = req.headers.host === config.contentOrigin ? config.contentOrigin : config.siteOrigin;
+  req.backend = `${req.protocol}://${host}`;
   req.config = config;
   next();
 });