Finding
The local backend appears to apply permissive CORS to endpoints that read local media paths and mutate render state. For a desktop app, this should be deliberately scoped to trusted origins.
Evidence
- backend/src/main.rs applies CORS headers in shared handlers.
- Endpoints accept path query values for video/audio/image and mutation requests for cache/progress/cancel/audio plan.
Acceptance criteria
- Restrict allowed origins to the Electron app/dev servers or document the trust boundary explicitly.
- Return clear errors for disallowed origins/methods.
- Add coverage for rejected origins.
Finding
The local backend appears to apply permissive CORS to endpoints that read local media paths and mutate render state. For a desktop app, this should be deliberately scoped to trusted origins.
Evidence
Acceptance criteria