From ae2a746d0cbc8a2dad4f5e8b0b733b82ba14b107 Mon Sep 17 00:00:00 2001 From: Jakob Hagl Date: Tue, 5 Aug 2025 10:38:08 +0200 Subject: [PATCH] add custom cors scheme option --- backend/open_webui/config.py | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py index bf4325417d..c114793507 100644 --- a/backend/open_webui/config.py +++ b/backend/open_webui/config.py @@ -1337,10 +1337,11 @@ if THREAD_POOL_SIZE is not None and isinstance(THREAD_POOL_SIZE, str): def validate_cors_origin(origin): parsed_url = urlparse(origin) - # Check if the scheme is either http or https - if parsed_url.scheme not in ["http", "https"]: + # Check if the scheme is either http or https, or a custom scheme + schemes = ["http", "https" ] + CORS_ALLOW_CUSTOM_SCHEME + if parsed_url.scheme not in schemes: raise ValueError( - f"Invalid scheme in CORS_ALLOW_ORIGIN: '{origin}'. Only 'http' and 'https' are allowed." + f"Invalid scheme in CORS_ALLOW_ORIGIN: '{origin}'. Only 'http' and 'https' and CORS_ALLOW_CUSTOM_SCHEME are allowed." ) # Ensure that the netloc (domain + port) is present, indicating it's a valid URL @@ -1355,6 +1356,11 @@ def validate_cors_origin(origin): # in your .env file depending on your frontend port, 5173 in this case. CORS_ALLOW_ORIGIN = os.environ.get("CORS_ALLOW_ORIGIN", "*").split(";") +# Allows custom URL schemes (e.g., app://) to be used as origins for CORS. +# Useful for local development or desktop clients with schemes like app:// or other custom protocols. +# Provide a semicolon-separated list of allowed schemes in the environment variable CORS_ALLOW_CUSTOM_SCHEMES. +CORS_ALLOW_CUSTOM_SCHEME = os.environ.get("CORS_ALLOW_CUSTOM_SCHEME", "").split(";") + if CORS_ALLOW_ORIGIN == ["*"]: log.warning( "\n\nWARNING: CORS_ALLOW_ORIGIN IS SET TO '*' - NOT RECOMMENDED FOR PRODUCTION DEPLOYMENTS.\n"