From 3b2a88c46c088bc175a12858e65361abbe7cd2c4 Mon Sep 17 00:00:00 2001 From: Jonathan Perret Date: Thu, 7 Mar 2024 18:42:10 +0100 Subject: [PATCH] Remove hostname check in trustOrigin It seems this was added for test purposes but the current tests all pass without this, and it looks a bit safer to remove it. --- app/server/lib/requestUtils.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/app/server/lib/requestUtils.ts b/app/server/lib/requestUtils.ts index 890b9702059..521df23d9e8 100644 --- a/app/server/lib/requestUtils.ts +++ b/app/server/lib/requestUtils.ts @@ -86,7 +86,6 @@ export function trustOrigin(req: Request, resp: Response): boolean { // Note that the request origin is undefined for non-CORS requests. const origin = req.get('origin'); if (!origin) { return true; } // Not a CORS request. - if (process.env.GRIST_HOST && req.hostname === process.env.GRIST_HOST) { return true; } if (!allowHost(req, new URL(origin)) && !isEnvironmentAllowedHost(new URL(origin))) { return false; } // For a request to a custom domain, the full hostname must match.