mirror of
https://github.com/langgenius/dify.git
synced 2026-05-21 17:20:25 +08:00
218ef6a447
OPENAPI_CORS_ALLOW_ORIGINS env var defaults to empty (same-origin only). Operators expand for third-party integrations via comma-separated list. Allowed headers: Authorization, Content-Type, X-CSRF-Token. Methods: GET POST PATCH DELETE OPTIONS. Max-Age 600s. supports_credentials=True so cookie-authed approve/deny work once Phase D moves them in. Disallowed origins receive a normal 200 OPTIONS response without the Access-Control-Allow-Origin header — flask-cors's standard behavior; browser blocks the cross-origin request from the disallowed origin. Plan: docs/superpowers/plans/2026-04-26-openapi-migration.md (in difyctl repo).