Fix some issue with insecure browsers. (#13261)
If you are on a recent chromium or chrome based browser this doesn't affect you. This is to give time for the lazy firefox devs to implement PNA.
This commit is contained in:
comfyanonymous
@@ -146,6 +146,10 @@ def is_loopback(host):
|
|||||||
def create_origin_only_middleware():
|
def create_origin_only_middleware():
|
||||||
@web.middleware
|
@web.middleware
|
||||||
async def origin_only_middleware(request: web.Request, handler):
|
async def origin_only_middleware(request: web.Request, handler):
|
||||||
|
if 'Sec-Fetch-Site' in request.headers:
|
||||||
|
sec_fetch_site = request.headers['Sec-Fetch-Site']
|
||||||
|
if sec_fetch_site == 'cross-site':
|
||||||
|
return web.Response(status=403)
|
||||||
#this code is used to prevent the case where a random website can queue comfy workflows by making a POST to 127.0.0.1 which browsers don't prevent for some dumb reason.
|
#this code is used to prevent the case where a random website can queue comfy workflows by making a POST to 127.0.0.1 which browsers don't prevent for some dumb reason.
|
||||||
#in that case the Host and Origin hostnames won't match
|
#in that case the Host and Origin hostnames won't match
|
||||||
#I know the proper fix would be to add a cookie but this should take care of the problem in the meantime
|
#I know the proper fix would be to add a cookie but this should take care of the problem in the meantime
|
||||||
|
|||||||
Reference in New Issue
Block a user