metube/app
az10b 0072d3488a Fix permissive CORS policy that allows cross-origin attacks
The on_prepare handler unconditionally reflected the Origin request
header into Access-Control-Allow-Origin, and Socket.IO was configured
with cors_allowed_origins='*'. This allowed any website to make
authenticated cross-origin requests to all API endpoints, enabling
cross-origin download initiation, cookie overwrite, and data deletion.

Replace the blanket origin reflection with an explicit allowlist via
the CORS_ALLOWED_ORIGINS environment variable. When unset, cross-origin
requests are denied by default. Users who need cross-origin access can
set CORS_ALLOWED_ORIGINS to a comma-separated list of trusted origins.
2026-04-09 19:45:51 -05:00
..
tests fix: parse string boolean values when updating subscriptions 2026-04-05 14:05:59 +08:00
dl_formats.py code review fixes 2026-03-15 20:53:13 +02:00
main.py Fix permissive CORS policy that allows cross-origin attacks 2026-04-09 19:45:51 -05:00
state_store.py add subscriptions; change persistence file format to JSON (closes #901, #76, #113, #170, #242, #444, #503, #555, #566) 2026-04-01 14:33:24 +03:00
subscriptions.py fix: handle playlists that don't supply video ids 2026-04-09 10:15:11 -05:00
ytdl.py fix: handle playlists that don't supply video ids 2026-04-09 10:15:11 -05:00