diff --git a/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java b/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java index e35930a..28187cc 100644 --- a/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java +++ b/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java @@ -51,10 +51,22 @@ public class CrosXssFilter implements Filter { HttpServletRequest httpRequest = (HttpServletRequest) request; String referer = httpRequest.getHeader("Referer"); - if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin) - && !referer.startsWith(accessControlAllowOrigin)) { - httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer"); - return; + if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin)) { + // 允许多个域名,逗号分隔 + String[] allowedOrigins = accessControlAllowOrigin.split(","); + boolean matched = false; + for (String origin : allowedOrigins) { + origin = origin.trim(); + if (StringUtils.isNotBlank(origin) && referer.startsWith(origin)) { + matched = true; + break; + } + } + // 如果一个都不匹配,则返回 403 + if (!matched) { + httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer"); + return; + } } @@ -93,9 +105,6 @@ public class CrosXssFilter implements Filter { // 设置允许的域名 httpServletResponse.setHeader("Access-Control-Allow-Origin", accessControlAllowOrigin); httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true"); - - // 修复 X-XSS-Protection 问题 - httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");