diff --git a/fileglancer/server.py b/fileglancer/server.py index 92b29d54..42875836 100644 --- a/fileglancer/server.py +++ b/fileglancer/server.py @@ -460,11 +460,15 @@ def mask_password(url: str) -> str: app.add_middleware( CORSMiddleware, - allow_origins=["*"], + # Use allow_origin_regex instead of allow_origins=["*"] so Starlette + # reflects the specific request origin rather than returning "*". + # This is required because allow_credentials=True + "Access-Control-Allow-Origin: *" + # causes browsers to block responses even for non-credentialed requests. + allow_origin_regex=r".*", allow_credentials=True, allow_methods=["GET","HEAD","POST","PUT","PATCH","DELETE"], allow_headers=["*"], - expose_headers=["Range", "Content-Range"], + expose_headers=["Range", "Content-Range", "Accept-Ranges", "Content-Length"], )