From ab544469253ccee0c3e135fa1d75d7da068e75d9 Mon Sep 17 00:00:00 2001
From: "review512jwy@163.com" <“review512jwy@163.com”>
Date: Wed, 19 Nov 2025 10:41:04 +0800
Subject: [PATCH] =?UTF-8?q?=E9=80=82=E9=85=8Ddashboard=E7=9A=84nginx?=
 =?UTF-8?q?=E8=BD=AC=E5=8F=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../business/configurator/CrosXssFilter.java  | 23 +++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java b/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
index e35930a..28187cc 100644
--- a/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
+++ b/data-center-business-controller/src/main/java/com/techsor/datacenter/business/configurator/CrosXssFilter.java
@@ -51,10 +51,22 @@ public class CrosXssFilter implements Filter {
                 	HttpServletRequest httpRequest = (HttpServletRequest) request;
                 	
                     String referer = httpRequest.getHeader("Referer");
-                    if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin) 
-                    		&& !referer.startsWith(accessControlAllowOrigin)) {
-                    	httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer");
-                        return;
+                    if (StringUtils.isNotBlank(referer) && !"*".equals(accessControlAllowOrigin)) {
+                        // 允许多个域名，逗号分隔
+                        String[] allowedOrigins = accessControlAllowOrigin.split(",");
+                        boolean matched = false;
+                        for (String origin : allowedOrigins) {
+                            origin = origin.trim();
+                            if (StringUtils.isNotBlank(origin) && referer.startsWith(origin)) {
+                                matched = true;
+                                break;
+                            }
+                        }
+                        // 如果一个都不匹配，则返回 403
+                        if (!matched) {
+                            httpServletResponse.sendError(HttpServletResponse.SC_FORBIDDEN, "Invalid Referer");
+                            return;
+                        }
                     }
                 	
                     
@@ -93,9 +105,6 @@ public class CrosXssFilter implements Filter {
                     // 设置允许的域名
                     httpServletResponse.setHeader("Access-Control-Allow-Origin", accessControlAllowOrigin);
                     httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
-
-                    // 修复 X-XSS-Protection 问题
-                    httpServletResponse.setHeader("X-XSS-Protection", "1; mode=block");