lord3nd3r
/
aprhodite
forked from ComputerTech/aprhodite
1
0
Fork 0
Code Pull Requests Activity

Fix #7: Replace CORS wildcard with configurable origins 

- cors_allowed_origins now uses CORS_ORIGINS from config (default: None)
- None restricts to same-origin only, blocking cross-site WebSocket hijacking
- Set CORS_ORIGINS in config.json or env var to allow specific domains
This commit is contained in:
3nd3r 2026-04-12 12:55:58 -05:00
parent 46ba1d7273
commit b38eb01e27
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
app.py
View File

@ -55,7 +55,7 @@ from flask_socketio import SocketIO, emit, join_room, disconnect
from database import db, init_db from database import db, init_db
from models import User, Message, UserIgnore from models import User, Message, UserIgnore
from config import ( from config import (
SECRET_KEY, ADMIN_PASSWORD, DATABASE_URL, SECRET_KEY, ADMIN_PASSWORD, DATABASE_URL, CORS_ORIGINS,
MAX_MSG_LEN, LOBBY, AI_FREE_LIMIT, AI_BOT_NAME, MAX_MSG_LEN, LOBBY, AI_FREE_LIMIT, AI_BOT_NAME,
OLLAMA_URL, VIOLET_MODEL, VIOLET_SYSTEM, OLLAMA_URL, VIOLET_MODEL, VIOLET_SYSTEM,
aesgcm_encrypt, aesgcm_decrypt, issue_jwt, verify_jwt, aesgcm_encrypt, aesgcm_decrypt, issue_jwt, verify_jwt,
@ -312,7 +312,7 @@ def create_app() -> Flask:
socketio.init_app( socketio.init_app(
app, app,
async_mode="eventlet", async_mode="eventlet",
cors_allowed_origins="*", cors_allowed_origins=CORS_ORIGINS,
message_queue=msg_queue, message_queue=msg_queue,
logger=False, logger=False,
engineio_logger=False, engineio_logger=False,