From 6f6a4155a3e8da750992e801ec514f014f91bae8 Mon Sep 17 00:00:00 2001 From: Mark Kittisopikul Date: Fri, 29 May 2026 21:07:35 -0400 Subject: [PATCH] fix: reflect request origin in CORS responses instead of wildcard Starlette 0.48 sends Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true when allow_origins=['*'] is used. Browsers reject this combination even for non-credentialed requests (e.g. HTTP Range reads from a cross-origin viewer like zipglancer). Switching to allow_origin_regex=r'.*' causes Starlette to reflect the specific request origin instead of *, which is valid alongside Allow-Credentials: true. Also exposes Accept-Ranges and Content-Length in CORS responses so cross-origin clients can read range-request metadata directly. Co-Authored-By: Claude Opus 4.8 --- fileglancer/server.py | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fileglancer/server.py b/fileglancer/server.py index 92b29d54..42875836 100644 --- a/fileglancer/server.py +++ b/fileglancer/server.py @@ -460,11 +460,15 @@ def mask_password(url: str) -> str: app.add_middleware( CORSMiddleware, - allow_origins=["*"], + # Use allow_origin_regex instead of allow_origins=["*"] so Starlette + # reflects the specific request origin rather than returning "*". + # This is required because allow_credentials=True + "Access-Control-Allow-Origin: *" + # causes browsers to block responses even for non-credentialed requests. + allow_origin_regex=r".*", allow_credentials=True, allow_methods=["GET","HEAD","POST","PUT","PATCH","DELETE"], allow_headers=["*"], - expose_headers=["Range", "Content-Range"], + expose_headers=["Range", "Content-Range", "Accept-Ranges", "Content-Length"], )