From 4b9b24ae780524bfb2e1b2662e9100f1e7817be6 Mon Sep 17 00:00:00 2001
From: noexcs <noexcs@163.com>
Date: Sun, 27 Apr 2025 21:29:13 +0800
Subject: [PATCH] fix: The value of the 'Access-Control-Allow-Origin' header in
 the response must not be the wildcard '*' when the request's credentials mode
 is 'include'.

---
 backend/open_webui/config.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py
index 387232797..19c3754f4 100644
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@@ -1255,7 +1255,7 @@ def validate_cors_origin(origin):
 # To test CORS_ALLOW_ORIGIN locally, you can set something like
 # CORS_ALLOW_ORIGIN=http://localhost:5173;http://localhost:8080
 # in your .env file depending on your frontend port, 5173 in this case.
-CORS_ALLOW_ORIGIN = os.environ.get("CORS_ALLOW_ORIGIN", "*").split(";")
+CORS_ALLOW_ORIGIN = os.environ.get("CORS_ALLOW_ORIGIN", "*;http://localhost:5173;http://localhost:8080").split(";")
 
 if "*" in CORS_ALLOW_ORIGIN:
     log.warning(