ref: 8f3e38f10a26e17f398c32a6caac5d3d19bb715b
parent: ace2ae8862cf3b124d21815a24484c3137ae77c1
author: Philip Silva <philip.silva@protonmail.com>
date: Sun Oct 31 16:50:18 EDT 2021
Better CORS check, minor quickfix
--- a/browser/fs/fs.go
+++ b/browser/fs/fs.go
@@ -157,6 +157,14 @@
}
}
+func allowed(h http.Header, reqHost, origHost string) bool {+ if reqHost == origHost {+ return true
+ }
+ alOrig := h.Get("access-control-allow-origin")+ return alOrig == "*"
+}
+
func xhr(conn net.Conn) {r := bufio.NewReader(conn)
defer conn.Close()
@@ -166,11 +174,12 @@
log.Errorf("read request: %v", err)return
}
+ log.Infof("xhr: req: %v", req)url := req.URL
url.Host = req.Host
if h := url.Host; h == "" {url.Host = Fetcher.Origin().Host
- } else if h != Fetcher.Origin().Host {+ } else if allowed(req.Header, h, Fetcher.Origin().Host) { log.Errorf("no cross-origin request: %v", h)return
}
--- a/style/stylesheets.go
+++ b/style/stylesheets.go
@@ -581,6 +581,14 @@
s.Left = l
}
+ // Limit very rudimentary relative unit calculation
+ if s.Top > 100 {+ s.Top = 0
+ }
+ if s.Bottom > 100 {+ s.Bottom = 0
+ }
+
return
}