Skip to content

修复:CORS 配置非法组合(通配源 + 携带凭证)#6

Open
joy717 wants to merge 1 commit into
linux-do:masterfrom
joy717:fix/cors-credentials
Open

修复:CORS 配置非法组合(通配源 + 携带凭证)#6
joy717 wants to merge 1 commit into
linux-do:masterfrom
joy717:fix/cors-credentials

Conversation

@joy717

@joy717 joy717 commented Jun 17, 2026

Copy link
Copy Markdown

问题

lottery_server.py 的 CORS 中间件:

app.add_middleware(
    CORSMiddleware,
    allow_origins=["*"],
    allow_credentials=True,
    ...
)

allow_origins=["*"]allow_credentials=True 是非法组合。浏览器禁止对携带凭证的请求返回 Access-Control-Allow-Origin: *;Starlette 为了绕过这个限制,会改为回显请求的 Origin 并带上 Access-Control-Allow-Credentials: true,等价于允许任意站点发起携带凭证的跨域请求。

修改

    allow_credentials=False,

本工具不依赖浏览器端凭证(论坛 cookie 是服务端从 cookies.txt 读取并发送的),因此关闭 allow_credentials 即可保留开放的通配源,同时去掉不安全的凭证回显。

🤖 Generated with Claude Code

@joy717 @claude
Fix invalid CORS config: disable credentials with wildcard origin
1a052d8 
`allow_origins=["*"]` combined with `allow_credentials=True` is an
invalid CORS combination — browsers reject `Access-Control-Allow-Origin: *`
on credentialed requests, and Starlette works around it by reflecting the
request Origin, effectively allowing any site to send credentialed
requests.

This tool makes no use of browser-side credentials (the forum cookies are
sent server-side from cookies.txt), so set allow_credentials=False to keep
the open wildcard origin without the unsafe credential reflection.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joy717