fix: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

2025-06-26 18:26:48 +00:00 · 2025-04-27 21:29:13 +08:00 · 2025-04-27 21:29:13 +08:00 · 4b9b24ae78
commit 4b9b24ae78
parent 1349bc47b1
1 changed files with 1 additions and 1 deletions
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@ -1255,7 +1255,7 @@ def validate_cors_origin(origin):
 # To test CORS_ALLOW_ORIGIN locally, you can set something like
 # CORS_ALLOW_ORIGIN=http://localhost:5173;http://localhost:8080
 # in your .env file depending on your frontend port, 5173 in this case.
-CORS_ALLOW_ORIGIN = os.environ.get("CORS_ALLOW_ORIGIN", "*").split(";")
+CORS_ALLOW_ORIGIN = os.environ.get("CORS_ALLOW_ORIGIN", "*;http://localhost:5173;http://localhost:8080").split(";")

 if "*" in CORS_ALLOW_ORIGIN:
    log.warning(