rixty
/
SillyTavern
mirror of https://github.com/SillyTavern/SillyTavern.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Disalow x-forwarded headers in CORS redirect

This commit is contained in:
Cohee 2024-07-22 14:19:20 +00:00
parent 788a13d7e3
commit f3cfc4c3c9
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
server.js
View File

@ -168,14 +168,14 @@ if (enableCorsProxy) {
try { try {
const headers = JSON.parse(JSON.stringify(req.headers)); const headers = JSON.parse(JSON.stringify(req.headers));
delete headers['x-csrf-token']; const headersToRemove = [
delete headers['host']; 'x-csrf-token', 'host', 'referer', 'origin', 'cookie',
delete headers['referer']; 'x-forwarded-for', 'x-forwarded-protocol', 'x-forwarded-proto',
delete headers['origin']; 'x-forwarded-host', 'x-real-ip', 'sec-fetch-mode',
delete headers['cookie']; 'sec-fetch-site', 'sec-fetch-dest',
delete headers['sec-fetch-mode']; ];
delete headers['sec-fetch-site'];
delete headers['sec-fetch-dest']; headersToRemove.forEach(header => delete headers[header]);
const bodyMethods = ['POST', 'PUT', 'PATCH']; const bodyMethods = ['POST', 'PUT', 'PATCH'];