From 30dee18835349df7487ea4fc1403b4c952aff5a1 Mon Sep 17 00:00:00 2001
From: xiaodong zuo <53252747+zuoxiaodong0815@users.noreply.github.com>
Date: Wed, 12 Jul 2023 16:35:46 +0800
Subject: [PATCH] fix: enhancing the security of image proxy (#3176)

---
 .github/workflows/workers.yml | 1 +
 packages/workers/src/index.ts | 9 +++++++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/workers.yml b/.github/workflows/workers.yml
index b0e5a7998..9637dd19d 100644
--- a/.github/workflows/workers.yml
+++ b/.github/workflows/workers.yml
@@ -18,4 +18,5 @@ jobs:
         uses: cloudflare/wrangler-action@2.0.0
         with:
           apiToken: ${{ secrets.CF_API_TOKEN }}
+          accountId: ${{ secrets.CF_ACCOUNT_ID }}
           workingDirectory: 'packages/workers'
diff --git a/packages/workers/src/index.ts b/packages/workers/src/index.ts
index 7ec5596fb..26da5810e 100644
--- a/packages/workers/src/index.ts
+++ b/packages/workers/src/index.ts
@@ -39,7 +39,12 @@ async function proxyImage(request: Request): Promise<Response> {
 
   const response = await fetch(imageRequest);
   const modifiedResponse = new Response(response.body);
-  modifiedResponse.headers.set('Access-Control-Allow-Origin', '*');
+
+  modifiedResponse.headers.set(
+    'Access-Control-Allow-Origin',
+    request.headers.get('Origin') ?? 'null'
+  );
+  modifiedResponse.headers.set('Vary', 'Origin');
   modifiedResponse.headers.set('Access-Control-Allow-Methods', 'GET');
 
   return modifiedResponse;
@@ -47,7 +52,7 @@ async function proxyImage(request: Request): Promise<Response> {
 
 const handler = {
   async fetch(request: Request) {
-    if (!isOriginAllowed(request.headers.get('Origin') || '', ALLOW_ORIGIN)) {
+    if (!isOriginAllowed(request.headers.get('Origin') ?? '', ALLOW_ORIGIN)) {
       return new Response('unauthorized', { status: 401 });
     }