From 5f0117154382eb0e2547c72630256681673e353b Mon Sep 17 00:00:00 2001
From: AUTOMATIC <16777216c@gmail.com>
Date: Fri, 4 Nov 2022 10:07:29 +0300
Subject: shut down gradio's "everything allowed" CORS policy; I checked the
 main functionality to work with this, but if this breaks some exotic
 workflow, I'm sorry.

---
 webui.py | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'webui.py')

diff --git a/webui.py b/webui.py
index 3b21c071..81df09dd 100644
--- a/webui.py
+++ b/webui.py
@@ -141,6 +141,12 @@ def webui():
         # after initial launch, disable --autolaunch for subsequent restarts
         cmd_opts.autolaunch = False
 
+        # gradio uses a very open CORS policy via app.user_middleware, which makes it possible for
+        # an attacker to trick the user into opening a malicious HTML page, which makes a request to the
+        # running web ui and do whatever the attcker wants, including installing an extension and
+        # runnnig its code. We disable this here. Suggested by RyotaK.
+        app.user_middleware = [x for x in app.user_middleware if x.cls.__name__ != 'CORSMiddleware']
+
         app.add_middleware(GZipMiddleware, minimum_size=1000)
 
         if launch_api:
-- 
cgit v1.2.3