From 374c535cfa2fd06cb71fc19d97106b24a575c9f0 Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Wed, 20 Dec 2023 20:03:08 +0000
Subject: [PATCH] fix cors-checker so it behaves like the readme says; any
 custom header (`pw` in our case) is sufficient validation

---
 copyparty/httpcli.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index c14e7789..c0ae801d 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -861,16 +861,16 @@ class HttpCli(object):
                 self.host.lower().split(":")[0],
             )
         ]
-        if re.sub(r"(:[0-9]{1,5})?/?$", "", origin) in good_origins:
+        if "pw" in ih or re.sub(r"(:[0-9]{1,5})?/?$", "", origin) in good_origins:
             good_origin = True
             bad_hdrs = ("",)
         else:
             good_origin = False
             bad_hdrs = ("", "pw")
 
-        # '*' blocks all credentials (cookies, http-auth);
+        # '*' blocks auth through cookies / WWW-Authenticate;
         # exact-match for Origin is necessary to unlock those,
-        # however yolo-requests (?pw=) are always allowed
+        # but the ?pw= param and PW: header are always allowed
         acah = ih.get("access-control-request-headers", "")
         acao = (origin if good_origin else None) or (
             "*" if "*" in good_origins else None