|
|
@@ -1366,10 +1366,11 @@ if THREAD_POOL_SIZE is not None and isinstance(THREAD_POOL_SIZE, str):
|
|
|
def validate_cors_origin(origin):
|
|
|
parsed_url = urlparse(origin)
|
|
|
|
|
|
- # Check if the scheme is either http or https
|
|
|
- if parsed_url.scheme not in ["http", "https"]:
|
|
|
+ # Check if the scheme is either http or https, or a custom scheme
|
|
|
+ schemes = ["http", "https" ] + CORS_ALLOW_CUSTOM_SCHEME
|
|
|
+ if parsed_url.scheme not in schemes:
|
|
|
raise ValueError(
|
|
|
- f"Invalid scheme in CORS_ALLOW_ORIGIN: '{origin}'. Only 'http' and 'https' are allowed."
|
|
|
+ f"Invalid scheme in CORS_ALLOW_ORIGIN: '{origin}'. Only 'http' and 'https' and CORS_ALLOW_CUSTOM_SCHEME are allowed."
|
|
|
)
|
|
|
|
|
|
# Ensure that the netloc (domain + port) is present, indicating it's a valid URL
|
|
|
@@ -1384,6 +1385,11 @@ def validate_cors_origin(origin):
|
|
|
# in your .env file depending on your frontend port, 5173 in this case.
|
|
|
CORS_ALLOW_ORIGIN = os.environ.get("CORS_ALLOW_ORIGIN", "*").split(";")
|
|
|
|
|
|
+# Allows custom URL schemes (e.g., app://) to be used as origins for CORS.
|
|
|
+# Useful for local development or desktop clients with schemes like app:// or other custom protocols.
|
|
|
+# Provide a semicolon-separated list of allowed schemes in the environment variable CORS_ALLOW_CUSTOM_SCHEMES.
|
|
|
+CORS_ALLOW_CUSTOM_SCHEME = os.environ.get("CORS_ALLOW_CUSTOM_SCHEME", "").split(";")
|
|
|
+
|
|
|
if CORS_ALLOW_ORIGIN == ["*"]:
|
|
|
log.warning(
|
|
|
"\n\nWARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS.\n"
|
Tim Jaeryang Baek