Skip to content

fix(cors): support browser extension origins and use array format for allowed origins#397

Merged
AptS-1547 merged 2 commits into
AsterCommunity:masterfrom
YewFence:fix/cors_browser_extension_support
Jul 14, 2026
Merged

fix(cors): support browser extension origins and use array format for allowed origins#397
AptS-1547 merged 2 commits into
AsterCommunity:masterfrom
YewFence:fix/cors_browser_extension_support

Conversation

@YewFence

@YewFence YewFence commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Change cors_allowed_origins config value type from string to string_array
  • Add support for browser extension origins (chrome-extension, moz-extension, safari-web-extension)
  • Update frontend admin settings to input origins as separate items; validate array values
  • Migrate legacy comma-separated origin lists to the new JSON array format on startup
  • Update documentation (English and Chinese) to reflect the new format and extension support
  • Extend test coverage for extension origins, migration, validation, and array handling

Test plan

  • Backend: cargo check
  • Backend: targeted cargo test --lib <filter> or cargo test --test <name> <filter>
  • Frontend: bun run check
  • Frontend: bun run build
  • Manual UI check for user-facing changes

Notes for reviewers

  • Database migrations: N/A
  • Runtime configuration changes: Change cors_allowed_origins config value type from string to string_array, add support for browser extension origins (chrome-extension, moz-extension, safari-web-extension)
  • Deployment or upgrade notes: N/A

Related Issue

Close #396

Summary by CodeRabbit

  • 新功能

    • CORS 允许来源改为数组配置,每项填写一个完整 origin。
    • 支持 HTTP(S) 网站及 Chrome、Firefox、Safari 浏览器扩展来源。
    • 增加旧格式配置的自动迁移与规范化。
  • 改进

    • 优化空白名单、通配符及跨域凭据组合的校验和提示。
    • 更新管理界面及中英文文档,明确配置格式与使用限制。

@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@AptS-1547, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 37 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7fd609e6-5341-4969-b677-4c8b96fba5ff

📥 Commits

Reviewing files that changed from the base of the PR and between 19934ff and af7a8da.

📒 Files selected for processing (1)
  • docs/config/runtime.md
📝 Walkthrough

Walkthrough

CORS 允许来源从逗号分隔字符串改为 JSON 字符串数组,新增浏览器扩展来源 scheme 支持,并加入旧配置迁移、运行时行为、前端校验、测试及中英文文档更新。

Changes

CORS 配置格式与运行时行为

Layer / File(s) Summary
CORS 配置解析与来源归一化
src/config/cors.rs, src/config/definitions.rs, src/config/system_config.rs
配置改为 JSON 字符串数组,支持 HTTP(S) 与浏览器扩展 origin,并更新通配符及非法 scheme 校验。
旧配置迁移与默认同步
src/db/repository/config_repo.rs
默认同步将旧逗号格式迁移为数组;无效来源被规范化为空数组。
运行时中间件与接口行为
src/api/middleware/cors/mod.rs, tests/test_cors.rs
运行时 CORS 支持扩展来源,相关测试覆盖预检、实际请求、凭据、通配符和白名单清空。
管理界面配置契约
frontend-panel/src/components/admin/settings/*, frontend-panel/src/pages/admin/AdminSettingsPage.test.tsx, frontend-panel/src/i18n/locales/*/admin/settings-network.json, docs/config/runtime.md, docs/en/config/runtime.md
前端配置、校验、测试及双语文档改为数组来源语义。

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant BrowserExtension
  participant CorsMiddleware
  participant CorsConfig
  participant WebDAV
  BrowserExtension->>CorsMiddleware: 发送带扩展 Origin 的请求
  CorsMiddleware->>CorsConfig: 读取并匹配允许来源数组
  CorsConfig-->>CorsMiddleware: 返回匹配结果
  CorsMiddleware->>WebDAV: 放行预检或实际请求
  WebDAV-->>BrowserExtension: 返回 CORS 响应头或错误
Loading

Suggested reviewers: apts-1547

Poem

数组承载来源,旧值悄然迁航
扩展 scheme 越过旧墙
白名单精准发光
WebDAV 听见预检回响
猫猫,这次别把配置写成逗号汤

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 66.13% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed 标题准确概括了支持浏览器扩展来源并将 allowed origins 改为数组格式的主要变更。
Description check ✅ Passed 描述基本覆盖了摘要、测试计划、审阅说明和关联问题,结构与模板要求大体一致。
Linked Issues check ✅ Passed #396 要求放宽 WebDAV CORS 以支持浏览器扩展来源,代码已新增扩展 scheme 支持并同步更新校验与迁移。
Out of Scope Changes check ✅ Passed 未见与 #396 目标无关的明显杂项改动,文档、前端、后端和测试都围绕 CORS 格式与扩展来源展开。
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend-panel/src/pages/admin/AdminSettingsPage.test.tsx`:
- Around line 1215-1217: 更新保存响应 mock 及其
getMockConfigValueType、getMockConfigCategory 配置:对 cors_allowed_origins 返回
string_array 类型和 network 分类,模拟后端实际的 network/string_array 元数据,避免继续回退为
string/storage。
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7260a044-f6d8-4c57-af17-36214d19acce

📥 Commits

Reviewing files that changed from the base of the PR and between 5775c9e and b4e75e8.

📒 Files selected for processing (14)
  • docs/config/runtime.md
  • docs/en/config/runtime.md
  • frontend-panel/src/components/admin/settings/useAdminSettingsData.test.ts
  • frontend-panel/src/components/admin/settings/useAdminSettingsData.ts
  • frontend-panel/src/i18n/locales/en/admin/settings-network.json
  • frontend-panel/src/i18n/locales/zh/admin/settings-network.json
  • frontend-panel/src/pages/admin/AdminSettingsPage.test.tsx
  • src/api/middleware/cors/mod.rs
  • src/api/middleware/cors/tests.rs
  • src/config/cors.rs
  • src/config/definitions.rs
  • src/config/system_config.rs
  • src/db/repository/config_repo.rs
  • tests/test_cors.rs

Comment thread frontend-panel/src/pages/admin/AdminSettingsPage.test.tsx
…r allowed origins

- Change `cors_allowed_origins` config value type from `string` to `string_array`
- Add support for browser extension origins (`chrome-extension`, `moz-extension`, `safari-web-extension`)
- Update frontend admin settings to input origins as separate items; validate array values
- Migrate legacy comma-separated origin lists to the new JSON array format on startup
- Update documentation (English and Chinese) to reflect the new format and extension support
- Extend test coverage for extension origins, migration, validation, and array handling
@AptS-1547 AptS-1547 force-pushed the fix/cors_browser_extension_support branch from b4e75e8 to 19934ff Compare July 14, 2026 06:21
@AptS-1547 AptS-1547 added Documentation Improvements or additions to documentation Enhancement New feature or request Priority: Medium Medium priority issue Rust Pull requests that update Rust code TypeScript Pull requests that update JavaScript code labels Jul 14, 2026
@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/config/runtime.md`:
- Line 178: 将运行时配置文档中“允许的跨域来源”描述里的“是完整 origin 的数组”改为更自然的“为由完整 origin
组成的数组”,保留后续示例及扩展来源说明不变。
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 20a8fc55-7db2-4b62-80d6-bf3afdbdb7f7

📥 Commits

Reviewing files that changed from the base of the PR and between b4e75e8 and 19934ff.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (12)
  • docs/config/runtime.md
  • docs/en/config/runtime.md
  • frontend-panel/src/components/admin/settings/useAdminSettingsData.test.ts
  • frontend-panel/src/components/admin/settings/useAdminSettingsData.ts
  • frontend-panel/src/i18n/locales/en/admin/settings-network.json
  • frontend-panel/src/i18n/locales/zh/admin/settings-network.json
  • frontend-panel/src/pages/admin/AdminSettingsPage.test.tsx
  • src/api/middleware/cors/mod.rs
  • src/config/cors.rs
  • src/config/definitions.rs
  • src/config/system_config.rs
  • src/db/repository/config_repo.rs
🚧 Files skipped from review as they are similar to previous changes (10)
  • frontend-panel/src/i18n/locales/zh/admin/settings-network.json
  • frontend-panel/src/i18n/locales/en/admin/settings-network.json
  • src/config/system_config.rs
  • frontend-panel/src/components/admin/settings/useAdminSettingsData.ts
  • docs/en/config/runtime.md
  • src/db/repository/config_repo.rs
  • frontend-panel/src/pages/admin/AdminSettingsPage.test.tsx
  • src/config/definitions.rs
  • frontend-panel/src/components/admin/settings/useAdminSettingsData.test.ts
  • src/config/cors.rs

Comment thread docs/config/runtime.md Outdated
@AptS-1547

Copy link
Copy Markdown
Member

LGTM

@AptS-1547 AptS-1547 merged commit e25b9ac into AsterCommunity:master Jul 14, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Documentation Improvements or additions to documentation Enhancement New feature or request Priority: Medium Medium priority issue Rust Pull requests that update Rust code TypeScript Pull requests that update JavaScript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Webdav CORS 策略前缀限制在 http / https 且不可配置导致 Tampermonkey 插件备份失败

2 participants