[PR #4714] [MERGED] sec: Allow setting CORS origin #44591

New Issue

GiteaMirror · 2026-04-29T18:43:33-05:00

GiteaMirror commented

2026-04-29 18:43:33 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/4714
Author: @crizCraig
Created: 8/18/2024
Status: ✅ Merged
Merged: 8/19/2024
Merged by: @tjbck

Base: dev ← Head: set-cors

📝 Commits (4)

d2f10d5 Allow seting CORS origin
7bcdc10 Optimize imports
845628c Fix tab format causing build failure
0550d12 Black format

📊 Changes

9 files changed (+52 additions, -21 deletions)

View changed files

📝 backend/apps/audio/main.py (+2 -1)
📝 backend/apps/images/main.py (+2 -7)
📝 backend/apps/ollama/main.py (+2 -1)
📝 backend/apps/openai/main.py (+2 -1)
📝 backend/apps/rag/main.py (+2 -4)
📝 backend/apps/webui/main.py (+2 -3)
📝 backend/config.py (+37 -0)
📝 backend/main.py (+2 -3)
📝 src/lib/i18n/locales/ru-RU/translation.json (+1 -1)

📄 Description

Changelog Entry

Description

My semgrep scan pickedup CORS * as a medium level issue, but for open webui, I'd consider it higher since you could have malicious web apps grabbing chat history.

Added

CORS_ALLOW_ORIGIN env var with semicolon delimited allowed origins
Checks to make sure origins are valid urls or * as frontend will silently fail with CORS errors otherwise

Changed

Changed all fastapi cors middleware declarations to use the new env var, e.g.

 app.add_middleware(
    CORSMiddleware,
    allow_origins=CORS_ALLOW_ORIGIN,  # used to be ["*"]
...

The default value is still ["*"] so current users should be unaffected

Security

Allows setting CORS origin in .env for production deployments

How it was tested

I tried all functionality with and without setting CORS_ALLOW_ORIGIN
I tried valid and invalid CORS to make sure setting had an effect
- http://localhost:5173,http://localhost:8080
- notavalidurl
I tested apps/images, apps/audio, apps/openai, and main.py in backend
I DID NOT test apps/ollama, apps/rag, or apps/webui as I'm not sure how to trigger those, but the change is identical to the other apps. The middleware is configured on import here, but not exercised in manual tests like the above

Screenshots or Videos

Image generation works!

Additional notes

I'll add documentation about the env var in the deploy section

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/4714 **Author:** [@crizCraig](https://github.com/crizCraig) **Created:** 8/18/2024 **Status:** ✅ Merged **Merged:** 8/19/2024 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `set-cors` --- ### 📝 Commits (4) - [`d2f10d5`](https://github.com/open-webui/open-webui/commit/d2f10d50bf30e77a0355bf9511bd56060580656d) Allow seting CORS origin - [`7bcdc10`](https://github.com/open-webui/open-webui/commit/7bcdc105392e74dd10875d5195f9508ec88a2271) Optimize imports - [`845628c`](https://github.com/open-webui/open-webui/commit/845628c100994a57cf52cf39f160e005a42d79fe) Fix tab format causing build failure - [`0550d12`](https://github.com/open-webui/open-webui/commit/0550d12106548f23a9182df878d155905f9f40dc) Black format ### 📊 Changes **9 files changed** (+52 additions, -21 deletions) <details> <summary>View changed files</summary> 📝 `backend/apps/audio/main.py` (+2 -1) 📝 `backend/apps/images/main.py` (+2 -7) 📝 `backend/apps/ollama/main.py` (+2 -1) 📝 `backend/apps/openai/main.py` (+2 -1) 📝 `backend/apps/rag/main.py` (+2 -4) 📝 `backend/apps/webui/main.py` (+2 -3) 📝 `backend/config.py` (+37 -0) 📝 `backend/main.py` (+2 -3) 📝 `src/lib/i18n/locales/ru-RU/translation.json` (+1 -1) </details> ### 📄 Description # Changelog Entry ### Description - My semgrep scan pickedup CORS * as a medium level issue, but for open webui, I'd consider it higher since you could have malicious web apps grabbing chat history. ### Added - CORS_ALLOW_ORIGIN env var with semicolon delimited allowed origins - Checks to make sure origins are valid urls or * as frontend will silently fail with CORS errors otherwise ### Changed - Changed all fastapi cors middleware declarations to use the new env var, e.g. ```python app.add_middleware( CORSMiddleware, allow_origins=CORS_ALLOW_ORIGIN, # used to be ["*"] ... ``` The default value is still `["*"]` so current users should be unaffected ### Security - Allows setting CORS origin in `.env` for production deployments ### How it was tested - I tried all functionality with and without setting `CORS_ALLOW_ORIGIN` - I tried valid and invalid CORS to make sure setting had an effect - `http://localhost:5173,http://localhost:8080` - `notavalidurl` - I tested `apps/images`, `apps/audio`, `apps/openai`, and `main.py` in `backend` - I DID NOT test `apps/ollama`, `apps/rag`, or `apps/webui` as I'm not sure how to trigger those, but the change is identical to the other apps. The middleware is configured on import here, but not exercised in manual tests like the above ### Screenshots or Videos - Image generation works! ![image](https://github.com/user-attachments/assets/86c16cbe-7a0c-45e6-b1af-263411554769) ### Additional notes I'll add documentation about the env var in the deploy section --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-29 18:43:33 -05:00

GiteaMirror closed this issue

2026-04-29 18:43:35 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#44591