DBT/clawgo
1
0
Fork 0
mirror of https://github.com/YspCoder/clawgo.git synced 2026-04-14 11:17:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Allow direct IP webui sessions

Browse Source
This commit is contained in:
lpf
2026-03-16 13:46:50 +08:00
parent 2d73d766fd
commit 0ff9245a0e
5 changed files with 63 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
pkg/api/server.go
View File

@@ -343,6 +343,25 @@ func requestOrigin(r *http.Request) string {
return scheme + "://" + canonicalOriginHost(r.Host, scheme == "https")
}
func sameSiteOrigin(originA, originB string) bool {
parsedA, err := url.Parse(strings.TrimSpace(originA))
if err != nil || parsedA == nil {
return false
}
parsedB, err := url.Parse(strings.TrimSpace(originB))
if err != nil || parsedB == nil {
return false
}
schemeA := strings.ToLower(strings.TrimSpace(parsedA.Scheme))
schemeB := strings.ToLower(strings.TrimSpace(parsedB.Scheme))
if schemeA == "" || schemeB == "" || schemeA != schemeB {
return false
}
hostA := strings.ToLower(strings.TrimSpace(parsedA.Hostname()))
hostB := strings.ToLower(strings.TrimSpace(parsedB.Hostname()))
return hostA != "" && hostA == hostB
}
func (s *Server) isTrustedOrigin(r *http.Request) bool {
if r == nil {
return false
@@ -360,7 +379,17 @@ func (s *Server) isTrustedOrigin(r *http.Request) bool {
func (s *Server) shouldUseCrossSiteCookie(r *http.Request) bool {
origin := normalizeOrigin(r.Header.Get("Origin"))
return origin != "" && origin != requestOrigin(r) && s.isTrustedOrigin(r)
if origin == "" || !s.isTrustedOrigin(r) {
return false
}
reqOrigin := requestOrigin(r)
if origin == reqOrigin {
return false
}
if sameSiteOrigin(origin, reqOrigin) {
return false
}
return true
}
func (s *Server) websocketUpgrader() *websocket.Upgrader {