Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
78 changes: 39 additions & 39 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 5 additions & 0 deletions docs/config/runtime.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,11 @@

- 浏览器页面和 AsterDrive 不在同一个域名下
- 想让别的站点在浏览器里直接调用 AsterDrive
- 浏览器扩展需要直接访问 WebDAV 或 API

`允许的跨域来源` 是由完整 origin 组成的数组,每个输入框填写一项,例如 `https://panel.example.com` 或 `chrome-extension://扩展ID`。当前支持 HTTP(S) 站点,以及 Chrome/Edge、Firefox 和 Safari Web Extension 的扩展来源。配置扩展时应填写完整扩展 ID,不要按协议放行所有扩展。

CORS 默认关闭,白名单也默认为空;此时服务端不会添加 CORS 响应头或拦截携带 `Origin` 的请求。启用 CORS 后,只有白名单中的精确来源会被允许。单独填写 `*` 可以允许任意来源,但不能同时开启跨域凭据。

::: tip 同站部署一般不用动
大多数"前端页面和接口都在同一个站点里"的部署不需要碰这里。
Expand Down
5 changes: 5 additions & 0 deletions docs/en/config/runtime.md
Original file line number Diff line number Diff line change
Expand Up @@ -173,6 +173,11 @@ Change it only in these scenarios:

- The browser page and AsterDrive are not under the same domain
- You want another site to call AsterDrive directly from the browser
- A browser extension needs to access WebDAV or the API directly

`Allowed CORS origins` is an array of complete origins, with one item per input. Examples include `https://panel.example.com` and `chrome-extension://extension-id`. HTTP(S) sites and Chrome/Edge, Firefox, and Safari Web Extension origins are supported. For an extension, configure its complete extension ID instead of allowing every extension by scheme.

CORS is disabled by default and the allowlist is empty. In that state, the server neither adds CORS response headers nor rejects requests merely because they carry an `Origin` header. Once CORS is enabled, only exact allowlist matches are accepted. A single `*` item permits any origin, but it cannot be combined with cross-origin credentials.

::: tip Same-site deployments usually do not need changes
Most deployments where "frontend pages and APIs are on the same site" do not need to touch this group.
Expand Down
Loading