rixty
/
SillyTavern
mirror of https://github.com/SillyTavern/SillyTavern.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Disalow x-forwarded headers in CORS redirect

This commit is contained in:
Cohee 2024-07-22 14:19:20 +00:00
parent 788a13d7e3
commit f3cfc4c3c9
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
server.js
View File

@ -168,14 +168,14 @@ if (enableCorsProxy) {
try {
const headers = JSON.parse(JSON.stringify(req.headers));
delete headers['x-csrf-token'];
delete headers['host'];
delete headers['referer'];
delete headers['origin'];
delete headers['cookie'];
delete headers['sec-fetch-mode'];
delete headers['sec-fetch-site'];
delete headers['sec-fetch-dest'];
const headersToRemove = [
'x-csrf-token', 'host', 'referer', 'origin', 'cookie',
'x-forwarded-for', 'x-forwarded-protocol', 'x-forwarded-proto',
'x-forwarded-host', 'x-real-ip', 'sec-fetch-mode',
'sec-fetch-site', 'sec-fetch-dest',
];
headersToRemove.forEach(header => delete headers[header]);
const bodyMethods = ['POST', 'PUT', 'PATCH'];