Merge branch 'master' into fix-ckpt-cache

author: AUTOMATIC1111 <16777216c@gmail.com> 2022-11-04 10:54:17 +0300
committer: GitHub <noreply@github.com> 2022-11-04 10:54:17 +0300
commit: 24fc05cf576c80976773d09b341b9c9b2274a492 (patch)
tree: 89829bec0144ac0da7c0ae340cd8435427efb01e /webui.py
parent: a613fbc05e037622e1f20667d428be3f72894f16 (diff)
parent: 352b33106a64a8c34d1f5d79fcb377a73b02e39c (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/webui.py b/webui.py
index 3b21c071..81df09dd 100644
--- a/webui.py
+++ b/webui.py
@@ -141,6 +141,12 @@ def webui():
         # after initial launch, disable --autolaunch for subsequent restarts
         cmd_opts.autolaunch = False
 
+        # gradio uses a very open CORS policy via app.user_middleware, which makes it possible for
+        # an attacker to trick the user into opening a malicious HTML page, which makes a request to the
+        # running web ui and do whatever the attcker wants, including installing an extension and
+        # runnnig its code. We disable this here. Suggested by RyotaK.
+        app.user_middleware = [x for x in app.user_middleware if x.cls.__name__ != 'CORSMiddleware']
+
         app.add_middleware(GZipMiddleware, minimum_size=1000)
 
         if launch_api:
author	AUTOMATIC1111 <16777216c@gmail.com>	2022-11-04 10:54:17 +0300
committer	GitHub <noreply@github.com>	2022-11-04 10:54:17 +0300
commit	24fc05cf576c80976773d09b341b9c9b2274a492 (patch)
tree	89829bec0144ac0da7c0ae340cd8435427efb01e /webui.py
parent	a613fbc05e037622e1f20667d428be3f72894f16 (diff)
parent	352b33106a64a8c34d1f5d79fcb377a73b02e39c (diff)