enhance(libs/play): add logging + refine runner errors (#12645)

caugner · web-flow · commit 2baf9bdd877a · 2025-06-30T14:27:10.000+02:00
* enhance(play): add logging + distinguish runner responses

* chore(play): use HTTP 204 for empty response

* fix(play): return separately from response

* fix(libs/play): avoid HTTP 204 for Safari

* chore(libs/play): refine runner logging

* refactor(libs/play): inline is{OnMDN,Iframe} variables

* chore(libs/play): refine comment

* chore(libs/play): be consistent about returning response

We should just `return`, but now is not the time to fix that.
diff --git a/libs/play/index.js b/libs/play/index.js
@@ -623,10 +623,9 @@ function playSubdomain(hostname) {
 }
 
 /**
- * @param {URL} referer
+ * @param {string} hostname
  */
-function isMDNReferer(referer) {
-  const { hostname } = referer;
+function isMDNHost(hostname) {
   return (
     hostname === ORIGIN_MAIN ||
     // Review Companion (old/new).
@@ -655,21 +654,47 @@ export async function handleRunner(req, res) {
     "https://example.com"
   );
   const stateParam = url.searchParams.get("state");
-  const { state, hash } = await decompressFromBase64(stateParam);
 
-  const isLocalhost = req.hostname === "localhost";
-  const hasMatchingHash = playSubdomain(req.hostname) === hash;
-  const isIframeOnMDN =
-    isMDNReferer(referer) && req.headers["sec-fetch-dest"] === "iframe";
+  if (!stateParam) {
+    console.warn("[runner] Missing state parameter");
+    return res.status(400).end();
+  }
 
-  if (
-    !stateParam ||
-    !state ||
-    (!isLocalhost && !hasMatchingHash && !isIframeOnMDN)
-  ) {
+  const { state, hash } = await decompressFromBase64(stateParam);
+
+  if (!state) {
+    console.warn("[runner] Invalid state value");
     return res.status(404).end();
   }
 
+  if (req.hostname !== "localhost") {
+    // For security reasons, we only allow the runner:
+    // 1. on localhost (without any restrictions),
+    // 2. if the subdomain matches the hash (for embedded direct links), or
+    // 3. in iframes on MDN.
+    const subdomain = playSubdomain(req.hostname);
+
+    if (subdomain !== hash) {
+      const secFetchDest = req.headers["sec-fetch-dest"];
+
+      if (secFetchDest !== "iframe") {
+        console.warn(
+          `[runner] Disallowed Sec-Fetch-Dest (expected "iframe", was ${JSON.stringify(secFetchDest)})`
+        );
+        return res.status(403).end();
+      }
+
+      const { hostname } = referer;
+
+      if (!isMDNHost(hostname)) {
+        console.warn(
+          `[runner] Disallowed Referer (expected MDN host, was ${JSON.stringify(hostname)})`
+        );
+        return res.status(403).end();
+      }
+    }
+  }
+
   const json = JSON.parse(state);
   const codeParam = url.searchParams.get("code");
   const codeCookie = req.cookies["code"];
