fix(LCEL-07): scope workshop server CORS to tauri origin

the local workshop HTTP server at 127.0.0.1:5582 returned
Access-Control-Allow-Origin: *. any website the user visited could
fetch http://127.0.0.1:5582/workshop/<path> and read the response.

changed to http://localhost:1420 (the tauri dev origin). if the
server ever gains endpoints proxying private/instance-specific
content, the wildcard would have leaked it.
This commit is contained in:
M1noa 2026-07-16 17:35:44 -05:00
parent 8da6a217bc
commit 186279d947

View file

@ -92,7 +92,10 @@ async fn handle(stream: tokio::net::TcpStream) {
"application/octet-stream"
};
let response = format!(
"HTTP/1.1 200 OK\r\nContent-Type: {}\r\nContent-Length: {}\r\nAccess-Control-Allow-Origin: *\r\nConnection: close\r\n\r\n",
// security: scope CORS to the tauri webview origin. was
// "*" which let any website the user visits fetch the
// workshop server. (LCEL-07)
"HTTP/1.1 200 OK\r\nContent-Type: {}\r\nContent-Length: {}\r\nAccess-Control-Allow-Origin: http://localhost:1420\r\nConnection: close\r\n\r\n",
content_type,
body.len(),
);