shut down gradio's "everything allowed" CORS policy; I checked the main functionality to work with this, but if this breaks some exotic workflow, I'm sorry.

2025-08-04 11:12:35 +00:00 · 2022-11-04 10:07:29 +03:00
parent f2b69709ea
commit 5f01171543
2 changed files with 10 additions and 3 deletions
--- a/webui.py
+++ b/webui.py
@@ -141,6 +141,12 @@ def webui():
        # after initial launch, disable --autolaunch for subsequent restarts
        cmd_opts.autolaunch = False

+        # gradio uses a very open CORS policy via app.user_middleware, which makes it possible for
+        # an attacker to trick the user into opening a malicious HTML page, which makes a request to the
+        # running web ui and do whatever the attcker wants, including installing an extension and
+        # runnnig its code. We disable this here. Suggested by RyotaK.
+        app.user_middleware = [x for x in app.user_middleware if x.cls.__name__ != 'CORSMiddleware']
+
        app.add_middleware(GZipMiddleware, minimum_size=1000)

        if launch_api: