- commit
- e267385
- parent
- c9e1441
- author
- im_wower
- date
- 2026-03-22 17:14:45 +0800 CST
Fix extension access to control API
2 files changed,
+36,
-2
+34,
-1
1@@ -17,6 +17,7 @@ import { CONTROL_API_ROUTES } from "./handlers.js";
2 import { createControlApiServices } from "./runtime.js";
3
4 const SUPPORTED_METHODS: ControlApiRouteMethod[] = ["GET", "POST"];
5+const SUPPORTED_REQUEST_HEADERS = ["Accept", "Authorization", "Content-Type", "X-Request-Id"];
6
7 interface ControlApiRouteMatch {
8 route: ControlApiRouteDefinition;
9@@ -43,6 +44,11 @@ export async function handleControlApiRequest(
10 ): Promise<Response> {
11 const url = new URL(request.url);
12 const requestId = resolveRequestId(request, options);
13+
14+ if (request.method === "OPTIONS") {
15+ return preflightResponse(url.pathname);
16+ }
17+
18 const matchedRoute = matchRoute(request.method, url.pathname);
19
20 if (!matchedRoute) {
21@@ -241,7 +247,7 @@ function jsonResponse(
22 requestId: string,
23 extraHeaders?: Record<string, string>
24 ): Response {
25- const headers = new Headers(extraHeaders);
26+ const headers = createCorsHeaders(extraHeaders);
27 headers.set("content-type", "application/json; charset=utf-8");
28 headers.set("x-request-id", requestId);
29
30@@ -251,6 +257,33 @@ function jsonResponse(
31 });
32 }
33
34+function preflightResponse(pathname: string): Response {
35+ const allowMethods = findAllowedMethods(pathname);
36+ const methods = allowMethods.length > 0
37+ ? [...new Set(["OPTIONS", ...allowMethods])]
38+ : ["OPTIONS", ...SUPPORTED_METHODS];
39+ const headers = createCorsHeaders({
40+ Allow: methods.join(", "),
41+ "access-control-allow-methods": methods.join(", "),
42+ "access-control-allow-headers": SUPPORTED_REQUEST_HEADERS.join(", "),
43+ "access-control-max-age": "86400"
44+ });
45+
46+ return new Response(null, {
47+ status: 204,
48+ headers
49+ });
50+}
51+
52+function createCorsHeaders(extraHeaders?: Record<string, string>): Headers {
53+ const headers = new Headers(extraHeaders);
54+ headers.set("access-control-allow-origin", "*");
55+ headers.set("access-control-allow-credentials", "false");
56+ headers.set("access-control-expose-headers", "x-request-id");
57+ headers.set("vary", "Origin");
58+ return headers;
59+}
60+
61 function matchRoute(method: string, pathname: string): ControlApiRouteMatch | null {
62 for (const route of CONTROL_API_ROUTES) {
63 if (route.method !== method) {
+2,
-1
1@@ -22,13 +22,14 @@
2 "https://*.oaiusercontent.com/*",
3 "https://gemini.google.com/*",
4 "https://control-api.makefile.so/*",
5+ "https://conductor.makefile.so/*",
6 "http://localhost/*",
7 "http://127.0.0.1/*",
8 "ws://localhost/*",
9 "ws://127.0.0.1/*"
10 ],
11 "content_security_policy": {
12- "extension_pages": "default-src 'self'; connect-src https://control-api.makefile.so ws://localhost:9800 ws://127.0.0.1:9800 http://localhost:9800 http://127.0.0.1:9800"
13+ "extension_pages": "default-src 'self'; connect-src https://control-api.makefile.so https://conductor.makefile.so ws://localhost:9800 ws://127.0.0.1:9800 http://localhost:9800 http://127.0.0.1:9800"
14 },
15 "background": {
16 "scripts": [