public Task Invoke(IDictionary <string, object> environment)
{
var serverRequest = new ServerRequest(environment);
var serverResponse = new ServerResponse(environment);
var hostContext = new HostContext(serverRequest, serverResponse);
string origin = serverRequest.RequestHeaders.GetHeader("Origin");
if (_configuration.EnableCrossDomain)
{
// Add CORS response headers support
if (!String.IsNullOrEmpty(origin))
{
serverResponse.ResponseHeaders.SetHeader("Access-Control-Allow-Origin", origin);
serverResponse.ResponseHeaders.SetHeader("Access-Control-Allow-Credentials", "true");
}
}
else
{
string callback = serverRequest.QueryString["callback"];
// If it's a JSONP request and we're not allowing cross domain requests then block it
// If there's an origin header and it's not a same origin request then block it.
if (!String.IsNullOrEmpty(callback) ||
(!String.IsNullOrEmpty(origin) && !IsSameOrigin(serverRequest.Url, origin)))
{
return(EndResponse(environment, 403, Resources.Forbidden_CrossDomainIsDisabled));
}
}
// Add the nosniff header for all responses to prevent IE from trying to sniff mime type from contents
serverResponse.ResponseHeaders.SetHeader("X-Content-Type-Options", "nosniff");
// REVIEW: Performance
hostContext.Items[HostConstants.SupportsWebSockets] = environment.SupportsWebSockets();
hostContext.Items[HostConstants.ShutdownToken] = environment.GetShutdownToken();
hostContext.Items[HostConstants.DebugMode] = environment.GetIsDebugEnabled();
serverRequest.DisableRequestCompression();
serverResponse.DisableResponseBuffering();
_connection.Initialize(_configuration.Resolver, hostContext);
if (!_connection.Authorize(serverRequest))
{
// If we failed to authorize the request then return a 403 since the request
// can't do anything
return(EndResponse(environment, 403, "Forbidden"));
}
else
{
return(_connection.ProcessRequest(hostContext));
}
}