* Reject obvious cross-origin calls. Same-origin browser requests send an * `Origin` header matching the host; we allow those, plus any host in * DOCS_ALLOWED_ORIGINS (comma-separated). Requests with no Origin (e.g. curl) * are allowed through to the cost caps rather than blocked, since Origin is
(req: Request)
| 139 | * trivially spoofable and is a filter, not a security boundary. |
| 140 | */ |
| 141 | function isAllowedOrigin(req: Request): boolean { |
| 142 | const origin = req.headers.get('origin') |
| 143 | if (!origin) return true |
| 144 | |
| 145 | let originHost: string |
| 146 | try { |
| 147 | originHost = new URL(origin).host.toLowerCase() |
| 148 | } catch { |
| 149 | return false |
| 150 | } |
| 151 | |
| 152 | const forwardedHost = req.headers.get('x-forwarded-host') ?? req.headers.get('host') |
| 153 | const requestHost = forwardedHost?.split(',')[0].trim().toLowerCase() |
| 154 | if (requestHost && originHost === requestHost) return true |
| 155 | |
| 156 | const allowlist = (process.env.DOCS_ALLOWED_ORIGINS ?? '') |
| 157 | .split(',') |
| 158 | .map((value) => value.trim().toLowerCase()) |
| 159 | .filter(Boolean) |
| 160 | return allowlist.includes(originHost) |
| 161 | } |
| 162 | |
| 163 | const SYSTEM_PROMPT = `You are the documentation assistant for Sim — the open-source AI workspace where teams build, deploy, and manage AI agents. |
| 164 |