| 270 | |
| 271 | // Check if origin is a local/private network address |
| 272 | function isLocalOrigin(origin: string): boolean { |
| 273 | try { |
| 274 | const url = new URL(origin); |
| 275 | const hostname = url.hostname; |
| 276 | return ( |
| 277 | hostname === 'localhost' || |
| 278 | hostname === '127.0.0.1' || |
| 279 | hostname === '[::1]' || |
| 280 | hostname === '0.0.0.0' || |
| 281 | hostname.startsWith('192.168.') || |
| 282 | hostname.startsWith('10.') || |
| 283 | /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(hostname) |
| 284 | ); |
| 285 | } catch { |
| 286 | return false; |
| 287 | } |
| 288 | } |
| 289 | |
| 290 | app.use( |
| 291 | cors({ |