toeverything/AFFiNE
1
1
Fork 0
mirror of https://github.com/toeverything/AFFiNE.git synced 2024-09-20 07:57:29 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix: enhancing the security of image proxy (#3176)

Browse Source
This commit is contained in:
xiaodong zuo 2023-07-12 16:35:46 +08:00 committed by GitHub
parent b509302711
commit 30dee18835
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.github/workflows/workers.yml vendored
View File

@ -18,4 +18,5 @@ jobs:
uses: cloudflare/wrangler-action@2.0.0
with:
apiToken: ${{ secrets.CF_API_TOKEN }}
accountId: ${{ secrets.CF_ACCOUNT_ID }}
workingDirectory: 'packages/workers'

9
packages/workers/src/index.ts
View File

@ -39,7 +39,12 @@ async function proxyImage(request: Request): Promise<Response> {
const response = await fetch(imageRequest);
const modifiedResponse = new Response(response.body);
modifiedResponse.headers.set('Access-Control-Allow-Origin', '*');
modifiedResponse.headers.set(
'Access-Control-Allow-Origin',
request.headers.get('Origin') ?? 'null'
);
modifiedResponse.headers.set('Vary', 'Origin');
modifiedResponse.headers.set('Access-Control-Allow-Methods', 'GET');
return modifiedResponse;
@ -47,7 +52,7 @@ async function proxyImage(request: Request): Promise<Response> {
const handler = {
async fetch(request: Request) {
if (!isOriginAllowed(request.headers.get('Origin') || '', ALLOW_ORIGIN)) {
if (!isOriginAllowed(request.headers.get('Origin') ?? '', ALLOW_ORIGIN)) {
return new Response('unauthorized', { status: 401 });
}