mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-07-12 18:50:35 +00:00
4e8978f04c
do_OPTIONS answered every CORS preflight with Access-Control-Allow-Origin: *, advertising broader cross-origin access than a real request is granted — on a password-less deployment that lets any site read authenticated responses. It now echoes the request Origin only when _check_same_origin_browser_request approves it (the exact same-origin / HERMES_WEBUI_ALLOWED_ORIGINS policy the CSRF gate enforces for real requests), adds Vary: Origin, and never emits *. A disallowed origin gets a 200 with no CORS headers (browser treats as preflight denial). Default deployments (no allowlist) are unaffected. Contributor stage; gate-pass. Co-authored-by: mo7al876any <mo7al876any@users.noreply.github.com>