Tighten CORS rules

[abidlabs]

To prevent malicious 3rd party websites from making requests to Gradio applications running locally, this PR tightens the CORS rules around Gradio applications. In particular, based on @XciD's suggestion: it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.

To test this, you can start running any Gradio app, e.g. this one, locally:

import gradio as gr

with gr.Blocks() as demo:
    t1 = gr.Textbox()
    demo.load(lambda :"Hello", None, t1)
    
demo.launch()

And then open up different websites in your browser and simulate requests from them using the Inspector console, e.g.:

fetch('http://localhost:7860/config')
  .then(response => {
    if (!response.ok) {
      throw new Error('Network response was not ok');
    }
    return response.json(); // or response.text() if the response is not in JSON format
  })
  .then(data => {
    console.log(data); // This will display the response in the console
  })
  .catch(error => {
    console.error('There has been a problem with your fetch operation:', error);
  });

If you make the request from a website on localhost, the request should go through, but if you make the request while a different webpage is loaded, it should be blocked.

I also installed this PR in this Space: https://huggingface.co/spaces/abidlabs/test-cors, and confirmed that:

• The Client works with it:

from gradio_client import Client

client = Client("abidlabs/test-cors")
client.predict("Hello")

• Embedding with an iFrame works:

<iframe
	src="https://abidlabs-test-cors.hf.space"
	frameborder="0"
	width="850"
	height="450"
></iframe>

• Embedding with a web component NOW works (!):

<html>
<script
	type="module"
	src="https://gradio.s3-us-west-2.amazonaws.com/4.19.1/gradio.js"
></script>

<gradio-app src="https://abidlabs-test-cors.hf.space"></gradio-app>
</html>

[gradio-pr-bot]

🪼 branch checks and previews

•	Name	Status	URL
	Spaces	ready!	Spaces preview
	Website	ready!	Website preview
🦄	Changes	detected!	Details

---

Install Gradio from this PR

pip install https://gradio-builds.s3.amazonaws.com/01a39bf774b6c215a0a29220b576bb40329c81e6/gradio-4.19.1-py3-none-any.whl

Install Gradio Python Client from this PR

pip install "gradio-client @ git+https://github.com/gradio-app/gradio@01a39bf774b6c215a0a29220b576bb40329c81e6#subdirectory=client/python"

[gradio-pr-bot]

🦄 change detected

This Pull Request includes changes to the following packages.

Package	Version
gradio	patch

• Maintainers can select this checkbox to manually select packages to update.

With the following changelog entry.

Tighten CORS rules

Maintainers or the PR author can modify the PR title to modify this entry.

Something isn't right?

• Maintainers can change the version label to modify the version bump.
• If the bot has failed to detect any changes, or if this pull request needs to update multiple packages to different versions or requires a more comprehensive changelog entry, maintainers can update the changelog file directly.

[PinkDraconian]

This fix looks great. Thank you for the resolution.
Would you also be able to "accept" my report? That way the process over there moves along.

[akx]

Wouldn't this be served by just setting allow_origin_regex for CORSMiddleware?

[abidlabs]

Wouldn't this be served by just setting allow_origin_regex for CORSMiddleware?

I don't believe so, no. We want to apply CORS only if the host is localhost (i.e. the app is running locally), which is not something that allow_origin_regex allows us to do

[pngwn]

From my testing this works great! Thanks @abidlabs!

[abidlabs]

Thank you @whitphx @akx @pngwn for the reviews, and for @PinkDraconian for reporting the original issue!