indiwebmanager icon indicating copy to clipboard operation
indiwebmanager copied to clipboard
verified publisher icon knro

Add support for cross-origin requests

Open rkaczorek opened this issue 3 months ago • 3 comments

By default requests coming from other domains are rejected. Adding open CORS policy allows to use indiweb as a middleware for other apps. Depending on user needs CORS policy can be customized using available configuration parameters: origins, methods, headers and credentials.

rkaczorek avatar Sep 06 '25 17:09 rkaczorek

Thank yhou @rkaczorek .

@s-pouya-sh Please check.

knro avatar Sep 06 '25 18:09 knro

Thanks for the contribution — adding CORS support makes sense since indiwebmanager can act as middleware or be accessed from other local apps.

However, using an open CORS policy (allow_origins=["*"] with allow_credentials=True) isn’t safe to merge as-is. Even though the service runs locally, a malicious website could still make cross-origin requests to localhost and potentially interact with the INDI server on the user’s machine.

To keep it secure while still allowing local integrations, please either:

Restrict allowed origins to local addresses (e.g. ["http://localhost", "http://127.0.0.1"]), or

Make allow_origins configurable via an environment variable or CLI option (defaulting to localhost).

This will keep local integrations working without exposing users to unnecessary risk.

s-pouya-sh avatar Oct 12 '25 13:10 s-pouya-sh

You are absolutely right. I was too quick with a PR. I have added CLI parameter (defaulting to localhost).

rkaczorek avatar Oct 20 '25 14:10 rkaczorek