|
|
@@ -1,6 +1,7 @@
|
|
|
package common.handler;
|
|
|
|
|
|
import com.jfinal.handler.Handler;
|
|
|
+import com.jfinal.kit.StrKit;
|
|
|
|
|
|
import javax.servlet.http.HttpServletRequest;
|
|
|
import javax.servlet.http.HttpServletResponse;
|
|
|
@@ -16,7 +17,24 @@ public class AllCorsHandler extends Handler {
|
|
|
public void handle(String target, HttpServletRequest request, HttpServletResponse response, boolean[] isHandled) {
|
|
|
// *** 关键修改:将 '*' 替换为具体的调用方域名 ***
|
|
|
String ALLOWED_ORIGIN = System.getenv("URL_BASE");
|
|
|
- response.setHeader("Access-Control-Allow-Origin", ALLOWED_ORIGIN);
|
|
|
+
|
|
|
+ // 从请求头中获取 Origin
|
|
|
+ String origin = request.getHeader("Origin");
|
|
|
+ if (StrKit.notBlank(origin)) {
|
|
|
+ // 可以在这里添加白名单校验,例如:
|
|
|
+ if (origin.equals(ALLOWED_ORIGIN)
|
|
|
+ || origin.equals(ALLOWED_ORIGIN + ":9000")) {
|
|
|
+ response.setHeader("Access-Control-Allow-Origin", origin);
|
|
|
+ } else {
|
|
|
+ // 拒绝不认识的 Origin
|
|
|
+ response.setStatus(HttpServletResponse.SC_FORBIDDEN);
|
|
|
+ isHandled[0] = true;
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ // 如果你100%确定这个Origin是安全的,可以直接设置
|
|
|
+ response.setHeader("Access-Control-Allow-Origin", origin);
|
|
|
+ }
|
|
|
|
|
|
response.setHeader("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS");
|
|
|
// 确保继续包含你自定义的 headers,如 dl_token
|
