From 3fb6192021c309201f95a41020b9a336cbfb43a7 Mon Sep 17 00:00:00 2001
From: shaohuzhang1 <80892890+shaohuzhang1@users.noreply.github.com>
Date: Wed, 8 May 2024 18:46:58 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E8=B7=A8=E5=9F=9F=E5=A4=B1=E6=95=88=20(?=
 =?UTF-8?q?#394)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../middleware/cross_domain_middleware.py     | 26 ++++++++-----------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/apps/common/middleware/cross_domain_middleware.py b/apps/common/middleware/cross_domain_middleware.py
index 499854e60..d116dd7b7 100644
--- a/apps/common/middleware/cross_domain_middleware.py
+++ b/apps/common/middleware/cross_domain_middleware.py
@@ -17,27 +17,23 @@ class CrossDomainMiddleware(MiddlewareMixin):
 
     def process_request(self, request):
         if request.method == 'OPTIONS':
-            auth = request.META.get('HTTP_AUTHORIZATION')
-            if auth is not None and str(auth).startswith("application-"):
-                application_api_key = QuerySet(ApplicationApiKey).filter(secret_key=auth).first()
-                if application_api_key.allow_cross_domain:
-                    return HttpResponse(status=200,
-                                        headers={
-                                            "Access-Control-Allow-Origin": "*" if application_api_key.cross_domain_list is None or len(
-                                                application_api_key.cross_domain_list) == 0 else ",".join(
-                                                application_api_key.cross_domain_list),
-                                            "Access-Control-Allow-Methods": "GET,POST,DELETE,PUT",
-                                            "Access-Control-Allow-Headers": "Origin,X-Requested-With,Content-Type,Accept,Authorization,token"})
+            return HttpResponse(status=200,
+                                headers={
+                                    "Access-Control-Allow-Origin": "*",
+                                    "Access-Control-Allow-Methods": "GET,POST,DELETE,PUT",
+                                    "Access-Control-Allow-Headers": "Origin,X-Requested-With,Content-Type,Accept,Authorization,token"})
 
     def process_response(self, request, response):
         auth = request.META.get('HTTP_AUTHORIZATION')
-        if auth is not None and str(auth).startswith("application-"):
+        origin = request.META.get('HTTP_ORIGIN')
+        if auth is not None and str(auth).startswith("application-") and origin is not None:
             application_api_key = QuerySet(ApplicationApiKey).filter(secret_key=auth).first()
             if application_api_key.allow_cross_domain:
-                response['Access-Control-Allow-Origin'] = "*" if application_api_key.cross_domain_list is None or len(
-                    application_api_key.cross_domain_list) == 0 else ",".join(
-                    application_api_key.cross_domain_list)
                 response['Access-Control-Allow-Methods'] = 'GET,POST,DELETE,PUT'
                 response[
                     'Access-Control-Allow-Headers'] = "Origin,X-Requested-With,Content-Type,Accept,Authorization,token"
+                if application_api_key.cross_domain_list is None or len(application_api_key.cross_domain_list) == 0:
+                    response['Access-Control-Allow-Origin'] = "*"
+                elif application_api_key.cross_domain_list.__contains__(origin):
+                    response['Access-Control-Allow-Origin'] = origin
         return response