diff --git a/plugin/config.json b/plugin/config.json index 9fd31b6..00f2f30 100644 --- a/plugin/config.json +++ b/plugin/config.json @@ -3,5 +3,6 @@ "apiLogPath": null, "webBindAddress": "127.0.0.1", "webBindPort": 8765, - "webCorsOrigin": ["http://localhost"] + "webCorsOrigin": "http://localhost", + "webCorsOriginList": ["http://localhost"] } diff --git a/plugin/util.py b/plugin/util.py index 740840e..c64567a 100644 --- a/plugin/util.py +++ b/plugin/util.py @@ -54,6 +54,7 @@ def setting(key): 'webBindAddress': os.getenv('ANKICONNECT_BIND_ADDRESS', '127.0.0.1'), 'webBindPort': 8765, 'webCorsOrigin': os.getenv('ANKICONNECT_CORS_ORIGIN', 'http://localhost'), + 'webCorsOriginList': ['http://localhost'], 'webTimeout': 10000, } diff --git a/plugin/web.py b/plugin/web.py index adfb71f..5431742 100644 --- a/plugin/web.py +++ b/plugin/web.py @@ -154,13 +154,19 @@ class WebServer: body = json.dumps(None).encode('utf-8') # handle multiple cors origins by checking the 'origin'-header against the allowed origin list from the config - webCorsOriginsSetting = util.setting('webCorsOrigin') - corsOrigin = "http://localhost" - if len(webCorsOriginsSetting) == 1: - corsOrigin = webCorsOriginsSetting[0] - elif b"origin" in req.headers: - originStr = req.headers[b"origin"].decode() - if originStr in webCorsOriginsSetting: + webCorsOriginList = util.setting('webCorsOriginList') + + # keep support for deprecated 'webCorsOrigin' field, as long it is not removed + webCorsOrigin = util.setting('webCorsOrigin') + if webCorsOrigin: + webCorsOriginList.append(webCorsOrigin) + + corsOrigin = 'http://localhost' + if len(webCorsOriginList) == 1: + corsOrigin = webCorsOriginList[0] + elif b'origin' in req.headers: + originStr = req.headers[b'origin'].decode() + if originStr in webCorsOriginList: corsOrigin = originStr headers = [