diff options
| author | AUTOMATIC1111 <16777216c@gmail.com> | 2022-11-04 08:00:32 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-04 08:00:32 +0000 |
| commit | e9c767d8dba884762b39d36fbd7cd43f818acf24 (patch) | |
| tree | b1d1a0cb9a445443ec18524b0c3906e94d21a26e /webui.py | |
| parent | b2c48091db394c2b7d375a33f18d90c924cd4363 (diff) | |
| parent | 2913b9f02500049c76c3d1469c086767411cefa9 (diff) | |
| download | stable-diffusion-webui-gfx803-e9c767d8dba884762b39d36fbd7cd43f818acf24.tar.gz stable-diffusion-webui-gfx803-e9c767d8dba884762b39d36fbd7cd43f818acf24.tar.bz2 stable-diffusion-webui-gfx803-e9c767d8dba884762b39d36fbd7cd43f818acf24.zip | |
Merge branch 'master' into 7flash/fix-api-compatibility
Diffstat (limited to 'webui.py')
| -rw-r--r-- | webui.py | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -141,6 +141,12 @@ def webui(): # after initial launch, disable --autolaunch for subsequent restarts
cmd_opts.autolaunch = False
+ # gradio uses a very open CORS policy via app.user_middleware, which makes it possible for
+ # an attacker to trick the user into opening a malicious HTML page, which makes a request to the
+ # running web ui and do whatever the attcker wants, including installing an extension and
+ # runnnig its code. We disable this here. Suggested by RyotaK.
+ app.user_middleware = [x for x in app.user_middleware if x.cls.__name__ != 'CORSMiddleware']
+
app.add_middleware(GZipMiddleware, minimum_size=1000)
if launch_api:
|