Skip to content

Commit 232c066

Browse files
committed
framework: also allow cors from referer header
1 parent 9c10219 commit 232c066

1 file changed

Lines changed: 8 additions & 4 deletions

File tree

framework/framework/server.ts

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -365,14 +365,18 @@ export class WebService<C extends CordisContext = CordisContext> extends Service
365365
const corsAllowHeaders = 'x-requested-with, accept, origin, content-type, upgrade-insecure-requests';
366366
this.server.use(Compress());
367367
this.server.use(async (c, next) => {
368-
if (c.request.headers.origin && this.config.cors) {
368+
if ((c.request.headers.origin || c.request.headers.referer) && this.config.cors) {
369369
try {
370-
const host = new URL(c.request.headers.origin).host;
370+
const host = new URL(c.request.headers.origin || c.request.headers.referer).host;
371371
if (host !== c.request.headers.host && `,${this.config.cors},`.includes(`,${host},`)) {
372372
c.set('Access-Control-Allow-Credentials', 'true');
373-
c.set('Access-Control-Allow-Origin', c.request.headers.origin);
374373
c.set('Access-Control-Allow-Headers', corsAllowHeaders);
375-
c.set('Vary', 'Origin');
374+
if (c.request.headers.origin) {
375+
c.set('Access-Control-Allow-Origin', c.request.headers.origin);
376+
c.set('Vary', 'Origin');
377+
} else {
378+
c.set('Vary', 'Referer');
379+
}
376380
c.cors = true;
377381
}
378382
} catch (e) {

0 commit comments

Comments
 (0)