Fix CORS impl

2026-06-06 05:38:44 +08:00 · 2023-08-30 14:54:23 +08:00
parent ffce3198fb
commit 7d3cb01cda
2 changed files with 4 additions and 4 deletions
--- a/routes/api/_middleware.ts
+++ b/routes/api/_middleware.ts
@@ -47,7 +47,7 @@ export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
        if (allow) headers.set("Allow", allow);
        const origin = req.headers.get("origin");
        if (origin) {
-            headers.set("Access-Control-Allow-Origin", "*");
+            headers.set("Access-Control-Allow-Origin", origin);
            if (allow) headers.set("Access-Control-Allow-Methods", allow);
            headers.set("Access-Control-Allow-Headers", "Content-Type, Range");
            headers.set("Access-Control-Allow-Credentials", "true");
@@ -58,7 +58,7 @@ export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
        const headers = new Headers(res.headers);
        const origin = req.headers.get("origin");
        if (origin) {
-            headers.set("Access-Control-Allow-Origin", "*");
+            headers.set("Access-Control-Allow-Origin", origin);
        }
        if (ctx.state.is_from_cookie && ctx.state.token) {
            const m = get_task_manager();
--- a/routes/file/_middleware.ts
+++ b/routes/file/_middleware.ts
@@ -8,7 +8,7 @@ export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
        if (allow) headers.set("Allow", allow);
        const origin = req.headers.get("origin");
        if (origin) {
-            headers.set("Access-Control-Allow-Origin", "*");
+            headers.set("Access-Control-Allow-Origin", origin);
            if (allow) headers.set("Access-Control-Allow-Methods", allow);
            headers.set("Access-Control-Allow-Headers", "Content-Type, Range");
            headers.set("Access-Control-Allow-Credentials", "true");
@@ -19,7 +19,7 @@ export async function handler(req: Request, ctx: MiddlewareHandlerContext) {
        const headers = new Headers(res.headers);
        const origin = req.headers.get("origin");
        if (origin) {
-            headers.set("Access-Control-Allow-Origin", "*");
+            headers.set("Access-Control-Allow-Origin", origin);
        }
        return new Response(res.body, {
            status: res.status,