adb-keyboard (/text,/key inject keystrokes into the signed-in Android session) had no origin/CSRF protection — while the SSH tunnel is up, any site open in the browser could POST cross-origin as a CORS simple request and type into redroid. Now require a non-foreign Origin AND Content-Type: application/json (cross-site can't set it without a preflight we never grant); client sends the JSON header. Same guard added to the mrnumber-ocr service (reject foreign Origin). Deployed to 45.55.191.82 + verified: foreign-Origin and no-content-type POSTs → 403, legit → 200. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| transquinnftw | ||