(READ ONLY) Margin is an open annotation layer for the internet. Powered by the AT Protocol. margin.at
extension web atproto comments
99
fork

Configure Feed

Select the types of activity you want to include in your feed.

fun

scanash00 b8eaebaa 3bcf3cc5

+40 -2
+20 -1
backend/cmd/server/main.go
··· 6 6 "net/http" 7 7 "os" 8 8 "os/signal" 9 + "strings" 9 10 "syscall" 10 11 "time" 11 12 ··· 62 63 r.Use(middleware.Throttle(100)) 63 64 64 65 r.Use(cors.Handler(cors.Options{ 65 - AllowedOrigins: []string{"https://*", "http://*", "chrome-extension://*"}, 66 + AllowOriginFunc: func(r *http.Request, origin string) bool { 67 + if strings.HasPrefix(origin, "chrome-extension://") || 68 + strings.HasPrefix(origin, "moz-extension://") || 69 + strings.HasPrefix(origin, "safari-web-extension://") { 70 + return true 71 + } 72 + allowedOrigins := []string{ 73 + "https://margin.at", 74 + "https://www.margin.at", 75 + "http://localhost:4321", 76 + "http://localhost:8081", 77 + } 78 + for _, allowed := range allowedOrigins { 79 + if origin == allowed { 80 + return true 81 + } 82 + } 83 + return false 84 + }, 66 85 AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"}, 67 86 AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "X-Session-Token"}, 68 87 ExposedHeaders: []string{"Link"},
+20 -1
web/src/middleware.ts
··· 41 41 42 42 try { 43 43 const res = await fetch(target.toString(), init); 44 + const responseHeaders = new Headers(res.headers); 45 + 46 + const origin = request.headers.get("origin"); 47 + if (origin && ( 48 + origin.startsWith("chrome-extension://") || 49 + origin.startsWith("moz-extension://") || 50 + origin.startsWith("safari-web-extension://") 51 + )) { 52 + responseHeaders.set("Access-Control-Allow-Origin", origin); 53 + responseHeaders.set("Access-Control-Allow-Credentials", "true"); 54 + responseHeaders.set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); 55 + responseHeaders.set("Access-Control-Allow-Headers", "Accept, Authorization, Content-Type, X-CSRF-Token, X-Session-Token"); 56 + responseHeaders.set("Access-Control-Expose-Headers", "Link"); 57 + } 58 + 59 + if (request.method === "OPTIONS" && origin) { 60 + return new Response(null, { status: 204, headers: responseHeaders }); 61 + } 62 + 44 63 return new Response(res.body, { 45 64 status: res.status, 46 65 statusText: res.statusText, 47 - headers: res.headers, 66 + headers: responseHeaders, 48 67 }); 49 68 } catch { 50 69 return new Response("Backend unavailable", { status: 502 });