mirror of
https://github.com/LCE-Hub/LCE-Emerald-Launcher.git
synced 2026-07-19 00:37:07 +00:00
fix(LCEL-07): scope workshop server CORS to tauri origin
the local workshop HTTP server at 127.0.0.1:5582 returned Access-Control-Allow-Origin: *. any website the user visited could fetch http://127.0.0.1:5582/workshop/<path> and read the response. changed to http://localhost:1420 (the tauri dev origin). if the server ever gains endpoints proxying private/instance-specific content, the wildcard would have leaked it.
This commit is contained in:
parent
8da6a217bc
commit
186279d947
|
|
@ -92,7 +92,10 @@ async fn handle(stream: tokio::net::TcpStream) {
|
|||
"application/octet-stream"
|
||||
};
|
||||
let response = format!(
|
||||
"HTTP/1.1 200 OK\r\nContent-Type: {}\r\nContent-Length: {}\r\nAccess-Control-Allow-Origin: *\r\nConnection: close\r\n\r\n",
|
||||
// security: scope CORS to the tauri webview origin. was
|
||||
// "*" which let any website the user visits fetch the
|
||||
// workshop server. (LCEL-07)
|
||||
"HTTP/1.1 200 OK\r\nContent-Type: {}\r\nContent-Length: {}\r\nAccess-Control-Allow-Origin: http://localhost:1420\r\nConnection: close\r\n\r\n",
|
||||
content_type,
|
||||
body.len(),
|
||||
);
|
||||
|
|
|
|||
Loading…
Reference in a new issue