Do not use * for Access-Control-Allow-Origin

lifegpc · Jun 3, 2024 · 3ae88a9 · 3ae88a9
1 parent 1e88cfe
commit 3ae88a9
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/routes/api/_middleware.ts b/routes/api/_middleware.ts
@@ -57,7 +57,7 @@ export async function handler(req: Request, ctx: FreshContext) {
         const origin = req.headers.get("origin");
         if (origin) {
             const c = m.cfg.cors_credentials_hosts.includes(origin);
-            headers["Access-Control-Allow-Origin"] = c ? origin : "*";
+            headers["Access-Control-Allow-Origin"] = origin;
             if (c) headers["Access-Control-Allow-Credentials"] = "true";
         }
         return return_error(401, "Unauthorized", 401, headers);
@@ -70,7 +70,7 @@ export async function handler(req: Request, ctx: FreshContext) {
         const origin = req.headers.get("origin");
         if (origin) {
             const c = m.cfg.cors_credentials_hosts.includes(origin);
-            headers.set("Access-Control-Allow-Origin", c ? origin : "*");
+            headers.set("Access-Control-Allow-Origin", origin);
             if (allow) headers.set("Access-Control-Allow-Methods", allow);
             headers.set("Access-Control-Allow-Headers", "Content-Type, Range, X-TOKEN");
             if (c) headers.set("Access-Control-Allow-Credentials", "true");
@@ -83,7 +83,7 @@ export async function handler(req: Request, ctx: FreshContext) {
         const origin = req.headers.get("origin");
         if (origin) {
             const c = m.cfg.cors_credentials_hosts.includes(origin);
-            headers.set("Access-Control-Allow-Origin", c ? origin : "*");
+            headers.set("Access-Control-Allow-Origin", origin);
             if (c) headers.set("Access-Control-Allow-Credentials", "true");
         }
         if (ctx.state.is_from_cookie && ctx.state.token) {

diff --git a/routes/file/_middleware.ts b/routes/file/_middleware.ts
@@ -11,7 +11,7 @@ export async function handler(req: Request, ctx: FreshContext) {
         const origin = req.headers.get("origin");
         if (origin) {
             const c = m.cfg.cors_credentials_hosts.includes(origin);
-            headers.set("Access-Control-Allow-Origin", c ? origin : "*");
+            headers.set("Access-Control-Allow-Origin", origin);
             if (allow) headers.set("Access-Control-Allow-Methods", allow);
             headers.set("Access-Control-Allow-Headers", "Content-Type, Range");
             if (c) headers.set("Access-Control-Allow-Credentials", "true");
@@ -24,7 +24,7 @@ export async function handler(req: Request, ctx: FreshContext) {
         const origin = req.headers.get("origin");
         if (origin) {
             const c = m.cfg.cors_credentials_hosts.includes(origin);
-            headers.set("Access-Control-Allow-Origin", c ? origin : "*");
+            headers.set("Access-Control-Allow-Origin", origin);
             if (c) headers.set("Access-Control-Allow-Credentials", "true");
         }
         return new Response(res.body, {