The on_prepare handler unconditionally reflected the Origin request header into Access-Control-Allow-Origin, and Socket.IO was configured with cors_allowed_origins='*'. This allowed any website to make authenticated cross-origin requests to all API endpoints, enabling cross-origin download initiation, cookie overwrite, and data deletion. Replace the blanket origin reflection with an explicit allowlist via the CORS_ALLOWED_ORIGINS environment variable. When unset, cross-origin requests are denied by default. Users who need cross-origin access can set CORS_ALLOWED_ORIGINS to a comma-separated list of trusted origins. |
||
|---|---|---|
| .. | ||
| tests | ||
| dl_formats.py | ||
| main.py | ||
| state_store.py | ||
| subscriptions.py | ||
| ytdl.py | ||