diff options
| author | evshiron <evshiron@gmail.com> | 2022-11-04 17:43:02 +0000 |
|---|---|---|
| committer | evshiron <evshiron@gmail.com> | 2022-11-04 17:43:02 +0000 |
| commit | 73e1cd6f53f3566973805666a4049450cdb8da1b (patch) | |
| tree | 90c4f0e6b8853c564894409c596e4bd57bca578a /webui.py | |
| parent | e21fcd72fcf147904a1df060226c4df12acf251e (diff) | |
| parent | 89722fb5e4eda2adc5d3a6abf8babf8a58e80d69 (diff) | |
| download | stable-diffusion-webui-gfx803-73e1cd6f53f3566973805666a4049450cdb8da1b.tar.gz stable-diffusion-webui-gfx803-73e1cd6f53f3566973805666a4049450cdb8da1b.tar.bz2 stable-diffusion-webui-gfx803-73e1cd6f53f3566973805666a4049450cdb8da1b.zip | |
Merge branch 'master' into fix/encode-pnginfo
Diffstat (limited to 'webui.py')
| -rw-r--r-- | webui.py | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -141,6 +141,12 @@ def webui(): # after initial launch, disable --autolaunch for subsequent restarts
cmd_opts.autolaunch = False
+ # gradio uses a very open CORS policy via app.user_middleware, which makes it possible for
+ # an attacker to trick the user into opening a malicious HTML page, which makes a request to the
+ # running web ui and do whatever the attcker wants, including installing an extension and
+ # runnnig its code. We disable this here. Suggested by RyotaK.
+ app.user_middleware = [x for x in app.user_middleware if x.cls.__name__ != 'CORSMiddleware']
+
app.add_middleware(GZipMiddleware, minimum_size=1000)
if launch_api:
|