mirror of
https://github.com/alexta69/metube.git
synced 2026-06-13 16:40:05 +00:00
az10b
0072d3488a
The on_prepare handler unconditionally reflected the Origin request header into Access-Control-Allow-Origin, and Socket.IO was configured with cors_allowed_origins='*'. This allowed any website to make authenticated cross-origin requests to all API endpoints, enabling cross-origin download initiation, cookie overwrite, and data deletion. Replace the blanket origin reflection with an explicit allowlist via the CORS_ALLOWED_ORIGINS environment variable. When unset, cross-origin requests are denied by default. Users who need cross-origin access can set CORS_ALLOWED_ORIGINS to a comma-separated list of trusted origins.