Skip to content

Commit 40cb0aa

Browse files
NeradocNeradoc
committed
CORS preflight: allow OPTIONS without authentication
check for 127.0.0.1 without a port specified
1 parent b303d00 commit 40cb0aa

File tree

1 file changed

+12
-4
lines changed

1 file changed

+12
-4
lines changed

supervisor/shared/web_workflow/web_workflow.c

Lines changed: 12 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -356,6 +356,7 @@ static bool _origin_ok(const char *origin) {
356356
const char *http = "http://";
357357
const char *local = ".local";
358358

359+
// note: redirected requests send an Origin of "null" and will be caught by this
359360
if (memcmp(origin, http, strlen(http)) != 0) {
360361
return false;
361362
}
@@ -374,8 +375,11 @@ static bool _origin_ok(const char *origin) {
374375
return true;
375376
}
376377

377-
const char *localhost = "127.0.0.1:";
378-
if (memcmp(origin + strlen(http), localhost, strlen(localhost)) == 0) {
378+
// Port or no port
379+
const char *localhost = "127.0.0.1";
380+
const int locallen = 9;
381+
if (memcmp(origin + strlen(http), localhost, locallen) == 0
382+
&& (localhost[locallen] == '\0' || localhost[locallen] == ':')) {
379383
return true;
380384
}
381385

@@ -909,7 +913,8 @@ static bool _reply(socketpool_socket_obj_t *socket, _request *request) {
909913
ESP_LOGE(TAG, "bad origin %s", request->origin);
910914
_reply_forbidden(socket, request);
911915
} else if (memcmp(request->path, "/fs/", 4) == 0) {
912-
if (!request->authenticated) {
916+
// OPTIONS is sent for CORS preflight, unauthenticated
917+
if (!request->authenticated && strcmp(request->method, "OPTIONS") != 0) {
913918
if (_api_password[0] != '\0') {
914919
_reply_unauthorized(socket, request);
915920
} else {
@@ -1030,7 +1035,10 @@ static bool _reply(socketpool_socket_obj_t *socket, _request *request) {
10301035
}
10311036
} else if (memcmp(request->path, "/cp/", 4) == 0) {
10321037
const char *path = request->path + 3;
1033-
if (strcmp(request->method, "GET") != 0) {
1038+
if (strcmp(request->method, "OPTIONS") == 0) {
1039+
// handle preflight requests to /cp/
1040+
_reply_access_control(socket, request);
1041+
} else if (strcmp(request->method, "GET") != 0) {
10341042
_reply_method_not_allowed(socket, request);
10351043
} else if (strcmp(path, "/devices.json") == 0) {
10361044
_reply_with_devices_json(socket, request);

0 commit comments

Comments
 (0)