Commit Graph

17 Commits

Author SHA1 Message Date
nihil-admirari
423d3e2aa2
Correct JSON MIME type (Fixes #393) 2023-06-23 09:12:28 +03:00
oakkitten
9c3310a8b6 Don't crash if JSON is valid but of wrong schema 2022-05-11 20:32:09 +01:00
oakkitten
bffbb051f2 Produce a better error in case of malformed JSON
$ curl localhost:8777 -X POST -i -d '{"action": "version", "version": 6},' && echo ␄
HTTP/1.1 200 OK
Content-Type: text/json
Access-Control-Allow-Origin: http://localhost
Access-Control-Allow-Headers: *
Content-Length: 67

{"result": null, "error": "Extra data: line 1 column 36 (char 35)"}␄

$ curl localhost:8777 -X POST -i -d '{"action": "version", "version": 6},' -H "Origin: foo" && echo ␄
HTTP/1.1 403 Forbidden
Access-Control-Allow-Origin: http://localhost
Access-Control-Allow-Headers: *

␄
2022-05-11 20:32:08 +01:00
Raphael-Joel Lim
a5aecfceee
Explicitly allow requests from public websites via new header (#302)
- Chrome now enforces that servers on private networks explicitly
  grant access to public websites using a new header
  "Access-Control-Allow-Private-Network" that should be sent in
  responses to preflight OPTIONS requests.
- This change implements special handling for OPTIONS requests by
  sending all the existing CORS headers along with the new
  Access-Control-Allow-Private-Network header if private network
  access is being requested.
- See https://developer.chrome.com/blog/private-network-access-preflight/
  for more info.
2022-02-18 23:08:44 -08:00
Jone Wang
7136a15ade
Allow safari-web-extension to access Aniki Connect. (#297)
* Allow safari-web-extension to access Aniki Connect.

* Fix typo.
2022-01-08 20:01:00 -08:00
Ren Tatsumoto
418ebcb0de
Fix updateModelTemplates and updateModelStyling functionality on Anki 2.1.45 and later (#296)
* fix update functionality on anki 2.1.45+

* delete trailing semicolon in the statement
2021-12-26 22:21:21 -08:00
DegrangeM
9fec86f7fe
Add requestPermission API method (#255)
* Add requestPermission Api Method

* Add documentation about requestPermission method

* Update version documentation
2021-05-07 20:33:06 -07:00
DegrangeM
9472ac4401
Fix vulnerability (#252)
* Improve and simplify code handling CORS

* Don't execute request when origin not allowed

Fix vulnerability

* Remove webCorsOrigin legacy option

It's confusing (and potentially insecure as removing webCorsOrigin in configuration would still set it to localhost)

* Allow 127.0.0.1 and browser extension if localhost allowed
2021-05-05 22:31:11 -07:00
Alexander Ryzhikov
8b81267b0c
Add Access-Control-Allow-Headers * (#231) 2021-02-21 11:24:08 -08:00
431ee362fc Initial cleanup pass 2021-01-17 22:13:27 -08:00
kanjieater
5386364c8d
Server no longer hangs on client disconnects (#217)
* Server no longer hangs on client disconnects

* Changed timeout and am now catching errors explicitly

Co-authored-by: KanjiEater <kanjieat3r@gmail.com>
2020-12-28 13:57:22 -08:00
yekingyan
e0e0e57321 Add support for use '*' to allow CORS for all domains 2020-04-12 15:52:52 +08:00
Yannick Mau
002b7cbf97 Deprecate field 'webCorsOrigin' but keep temporary support for it. 2020-02-28 01:17:53 +01:00
Yannick Mau
413b27a21e Add support for multiple cors origins 2020-02-17 17:44:58 +01:00
7603f2b251 Fix error viewing AnkiConnect page 2020-01-05 17:49:41 -08:00
2767d2928e Add link script, fix plugin 2020-01-05 17:41:34 -08:00
173e43700b Cleanup 2020-01-05 15:42:08 -08:00