From 76b75f3ad755ef5ff78b3670abbab549fb080243 Mon Sep 17 00:00:00 2001
From: comfyanonymous <121283862+comfyanonymous@users.noreply.github.com>
Date: Thu, 2 Apr 2026 13:39:34 -0700
Subject: [PATCH] Fix some issue with insecure browsers. (#13261)

If you are on a recent chromium or chrome based browser this doesn't affect you.

This is to give time for the lazy firefox devs to implement PNA.
---
 server.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/server.py b/server.py
index 27b14825e..881da8e66 100644
--- a/server.py
+++ b/server.py
@@ -146,6 +146,10 @@ def is_loopback(host):
 def create_origin_only_middleware():
     @web.middleware
     async def origin_only_middleware(request: web.Request, handler):
+        if 'Sec-Fetch-Site' in request.headers:
+            sec_fetch_site = request.headers['Sec-Fetch-Site']
+            if sec_fetch_site == 'cross-site':
+                return web.Response(status=403)
         #this code is used to prevent the case where a random website can queue comfy workflows by making a POST to 127.0.0.1 which browsers don't prevent for some dumb reason.
         #in that case the Host and Origin hostnames won't match
         #I know the proper fix would be to add a cookie but this should take care of the problem in the meantime