From b38eb01e2761c0d517e1c28af6397ce59b4a2d96 Mon Sep 17 00:00:00 2001
From: 3nd3r <lord3nd3r@gmail.com>
Date: Sun, 12 Apr 2026 12:55:58 -0500
Subject: [PATCH] Fix #7: Replace CORS wildcard with configurable origins

- cors_allowed_origins now uses CORS_ORIGINS from config (default: None)
- None restricts to same-origin only, blocking cross-site WebSocket hijacking
- Set CORS_ORIGINS in config.json or env var to allow specific domains
---
 app.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app.py b/app.py
index efe4f7f..e3928a9 100644
--- a/app.py
+++ b/app.py
@@ -55,7 +55,7 @@ from flask_socketio import SocketIO, emit, join_room, disconnect
 from database import db, init_db
 from models import User, Message, UserIgnore
 from config import (
-    SECRET_KEY, ADMIN_PASSWORD, DATABASE_URL,
+    SECRET_KEY, ADMIN_PASSWORD, DATABASE_URL, CORS_ORIGINS,
     MAX_MSG_LEN, LOBBY, AI_FREE_LIMIT, AI_BOT_NAME,
     OLLAMA_URL, VIOLET_MODEL, VIOLET_SYSTEM,
     aesgcm_encrypt, aesgcm_decrypt, issue_jwt, verify_jwt,
@@ -312,7 +312,7 @@ def create_app() -> Flask:
     socketio.init_app(
         app,
         async_mode="eventlet",
-        cors_allowed_origins="*",
+        cors_allowed_origins=CORS_ORIGINS,
         message_queue=msg_queue,
         logger=False,
         engineio_logger=False,