fix(core): allow localhost CORS when only one endpoint available

2025-01-27 21:39:16 -05:00 · 2023-02-26 14:59:31 +08:00 · 2023-02-26 14:59:31 +08:00 · 54512c2603
commit 54512c2603
parent 89715baaa6
1 changed files with 12 additions and 4 deletions
--- a/packages/core/src/middleware/koa-cors.ts
+++ b/packages/core/src/middleware/koa-cors.ts
@ -13,14 +13,22 @@ export default function koaCors<StateT, ContextT, ResponseBodyT>(

      if (
        origin &&
-        urlSets.some((set) =>
-          set.deduplicated().some(
+        urlSets.some((set) => {
+          const deduplicated = set.deduplicated();
+
+          // The URL Set has only one endpoint available, just use that endpoint.
+          if (deduplicated.length <= 1) {
+            return deduplicated.some((url) => url.origin === origin);
+          }
+
+          // For multiple endpoints, should filter out localhost in production.
+          return deduplicated.some(
            (url) =>
              url.origin === origin &&
              // Disable localhost CORS in production since it's unsafe
              !(EnvSet.values.isProduction && url.hostname === 'localhost')
-          )
-        )
+          );
+        })
      ) {
        return origin;
      }