fix: prohibit cross-origin access (#462)

main.go

@@ -19,7 +19,6 @@ import (
 
 	"github.com/astaxie/beego"
 	"github.com/astaxie/beego/logs"
-	"github.com/astaxie/beego/plugins/cors"
 	_ "github.com/astaxie/beego/session/redis"
 	"github.com/casdoor/casdoor/authz"
 	"github.com/casdoor/casdoor/object"
@@ -40,14 +39,6 @@ func main() {
 
 	go object.RunSyncUsersJob()
 
-	beego.InsertFilter("*", beego.BeforeRouter, cors.Allow(&cors.Options{
-		AllowOrigins:     []string{"*"},
-		AllowMethods:     []string{"GET", "PUT", "PATCH"},
-		AllowHeaders:     []string{"Origin"},
-		ExposeHeaders:    []string{"Content-Length"},
-		AllowCredentials: true,
-	}))
-
 	//beego.DelStaticPath("/static")
 	beego.SetStaticPath("/static", "web/build/static")
 	beego.BConfig.WebConfig.DirectoryIndex = true

web/craco.config.js

@@ -1,6 +1,14 @@
 const CracoLessPlugin = require('craco-less');
 
 module.exports = {
+  devServer: {
+    proxy: {
+        '/api': {
+            target: 'http://localhost:8000',
+            changeOrigin: true,
+        }
+    },
+  },
   plugins: [
     {
       plugin: CracoLessPlugin,

web/src/Setting.js

@@ -42,10 +42,10 @@ export function getCountryRegionData() {
 }
 
 export function initServerUrl() {
-  const hostname = window.location.hostname;
-  if (hostname === "localhost") {
-    ServerUrl = `http://${hostname}:8000`;
-  }
+  //const hostname = window.location.hostname;
+  // if (hostname === "localhost") {
+  //   ServerUrl = `http://${hostname}:8000`;
+  // }
 }
 
 export function isLocalhost() {