From 6c642ef0ba8b899e3007d0634723571d1b3c4605 Mon Sep 17 00:00:00 2001
From: "review512jwy@163.com" <“review512jwy@163.com”>
Date: Fri, 19 Dec 2025 22:55:49 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8=E6=89=AB=E6=8F=8F=EF=BC=8Cre?=
 =?UTF-8?q?ferer=E5=8F=AA=E6=8E=92=E9=99=A4common=E6=8E=A5=E5=8F=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../business/configurator/CrosXssFilter.java  | 40 ++++++++++++-------
 1 file changed, 25 insertions(+), 15 deletions(-)

diff --git a/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java b/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
index 451f9f4..7ad5f89 100644
--- a/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
+++ b/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
@@ -49,22 +49,32 @@ public class CrosXssFilter implements Filter {
                 	
                 	HttpServletResponse httpServletResponse = (HttpServletResponse) response;
                 	HttpServletRequest httpRequest = (HttpServletRequest) request;
-                	
-                    String referer = httpRequest.getHeader("Referer");
-                    if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin)) {
-                        // 允许多个域名，逗号分隔
-                        String[] allowedOrigins = accessControlAllowOrigin.split(",");
-                        boolean matched = false;
-                        for (String origin : allowedOrigins) {
-                            origin = origin.trim();
-                            if (StringUtils.isNotBlank(origin) && referer.startsWith(origin)) {
-                                matched = true;
-                                break;
+
+                    String requestUri = httpRequest.getRequestURI();
+                    // 当 URL 不包含 /common/ 时，校验 Referer
+                    if (!requestUri.contains("/common/")) {
+                        String referer = httpRequest.getHeader("Referer");
+                        if (StringUtils.isNotBlank(referer)){
+                            if(!"*".equals(accessControlAllowOrigin)){
+                                // 允许多个域名，逗号分隔
+                                String[] allowedOrigins = accessControlAllowOrigin.split(",");
+                                boolean matched = false;
+                                for (String origin : allowedOrigins) {
+                                    origin = origin.trim();
+                                    if (StringUtils.isNotBlank(origin) && referer.startsWith(origin)) {
+                                        matched = true;
+                                        break;
+                                    }
+                                }
+                                // 如果一个都不匹配，则返回 403
+                                if (!matched) {
+                                    logger.error("Invalid Referer: {}", referer);
+                                    httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer");
+                                    return;
+                                }
                             }
-                        }
-                        // 如果一个都不匹配，则返回 403
-                        if (!matched) {
-                            logger.error("Invalid Referer: {}", referer);
+                        } else {
+                            logger.error("Referer required....");
                             httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer");
                             return;
                         }