improve smoketests, warnings and error-messages:

* docker: warn if there are config-files in ~/.config/copyparty because somebody copied their config into /cfg/copyparty instead of /cfg as intended * docker: warn if there are no config-files in an included directory * make misconfigured reverse-proxies more obvious * explain cors rejections in server log * indicate cors rejection in error toast
2026-04-04 23:08:15 +10:00 · 2024-03-07 19:47:38 +00:00
parent 8ca996e2f7
commit d744f3ff8f
5 changed files with 60 additions and 19 deletions
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -518,9 +518,13 @@ class HttpCli(object):
                return self.handle_options() and self.keepalive

            if not cors_k:
+                host = self.headers.get("host", "<?>")
                origin = self.headers.get("origin", "<?>")
-                self.log("cors-reject {} from {}".format(self.mode, origin), 3)
-                raise Pebkac(403, "no surfing")
+                proto = "https://" if self.is_https else "http://"
+                guess = "modifying" if (origin and host) else "stripping"
+                t = "cors-reject %s because request-header Origin='%s' does not match request-protocol '%s' and host '%s' based on request-header Host='%s' (note: if this request is not malicious, check if your reverse-proxy is accidentally %s request headers, in particular 'Origin', for example by running copyparty with --ihead='*' to show all request headers)"
+                self.log(t % (self.mode, origin, proto, self.host, host, guess), 3)
+                raise Pebkac(403, "rejected by cors-check")

            # getattr(self.mode) is not yet faster than this
            if self.mode == "POST":