From 85a21e97f6a56a47473b3f5884fdc3a8f20e1373 Mon Sep 17 00:00:00 2001
From: pengx17 <pengxiao@outlook.com>
Date: Thu, 24 Apr 2025 05:09:50 +0000
Subject: [PATCH] fix(electron): do not add * as the default cors headers
 (#11867)

<!-- This is an auto-generated comment: release notes by coderabbit.ai -->

## Summary by CodeRabbit

- **Refactor**
  - Simplified network request header handling and CORS header management for improved maintainability.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---
 .../frontend/apps/electron/src/main/protocol.ts  | 16 ++--------------
 1 file changed, 2 insertions(+), 14 deletions(-)

diff --git a/packages/frontend/apps/electron/src/main/protocol.ts b/packages/frontend/apps/electron/src/main/protocol.ts
index 4cf26ed443..cf5db6b57b 100644
--- a/packages/frontend/apps/electron/src/main/protocol.ts
+++ b/packages/frontend/apps/electron/src/main/protocol.ts
@@ -34,13 +34,8 @@ protocol.registerSchemesAsPrivileged([
   },
 ]);
 
-const NETWORK_REQUESTS = ['/api', '/ws', '/socket.io', '/graphql'];
 const webStaticDir = join(resourcesPath, 'web-static');
 
-function isNetworkResource(pathname: string) {
-  return NETWORK_REQUESTS.some(opt => pathname.startsWith(opt));
-}
-
 async function handleFileRequest(request: Request) {
   const urlObject = new URL(request.url);
 
@@ -146,8 +141,8 @@ export function registerProtocol() {
 
           delete responseHeaders['access-control-allow-origin'];
           delete responseHeaders['access-control-allow-headers'];
-          responseHeaders['Access-Control-Allow-Origin'] = ['*'];
-          responseHeaders['Access-Control-Allow-Headers'] = ['*'];
+          delete responseHeaders['Access-Control-Allow-Origin'];
+          delete responseHeaders['Access-Control-Allow-Headers'];
         }
       })()
         .catch(err => {
@@ -161,7 +156,6 @@ export function registerProtocol() {
 
   session.defaultSession.webRequest.onBeforeSendHeaders((details, callback) => {
     const url = new URL(details.url);
-    const pathname = url.pathname;
 
     (async () => {
       // session cookies are set to file:// on production
@@ -181,12 +175,6 @@ export function registerProtocol() {
           .join('; ');
         delete details.requestHeaders['cookie'];
         details.requestHeaders['Cookie'] = cookieString;
-
-        // mitigate the issue of the worker not being able to access the origin
-        if (isNetworkResource(pathname)) {
-          details.requestHeaders['origin'] = url.origin;
-          details.requestHeaders['referer'] = url.origin;
-        }
       }
     })()
       .catch(err => {