From 186279d9475cfaf3c543148c03d22d8612e97103 Mon Sep 17 00:00:00 2001 From: M1noa Date: Thu, 16 Jul 2026 17:35:44 -0500 Subject: [PATCH] fix(LCEL-07): scope workshop server CORS to tauri origin the local workshop HTTP server at 127.0.0.1:5582 returned Access-Control-Allow-Origin: *. any website the user visited could fetch http://127.0.0.1:5582/workshop/ and read the response. changed to http://localhost:1420 (the tauri dev origin). if the server ever gains endpoints proxying private/instance-specific content, the wildcard would have leaked it. --- src-tauri/src/workshop_server.rs | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src-tauri/src/workshop_server.rs b/src-tauri/src/workshop_server.rs index c381c53..df76fd8 100644 --- a/src-tauri/src/workshop_server.rs +++ b/src-tauri/src/workshop_server.rs @@ -92,7 +92,10 @@ async fn handle(stream: tokio::net::TcpStream) { "application/octet-stream" }; let response = format!( - "HTTP/1.1 200 OK\r\nContent-Type: {}\r\nContent-Length: {}\r\nAccess-Control-Allow-Origin: *\r\nConnection: close\r\n\r\n", + // security: scope CORS to the tauri webview origin. was + // "*" which let any website the user visits fetch the + // workshop server. (LCEL-07) + "HTTP/1.1 200 OK\r\nContent-Type: {}\r\nContent-Length: {}\r\nAccess-Control-Allow-Origin: http://localhost:1420\r\nConnection: close\r\n\r\n", content_type, body.len(), );