fix judgement isSameOriginReq

apps/app/src/server/crowi/express-init.js

@@ -124,7 +124,7 @@ module.exports = function(crowi, app) {
   // default methods + PUT. See: https://expressjs.com/en/resources/middleware/csurf.html#ignoremethods
   app.use(csrf({ ignoreMethods: ['GET', 'HEAD', 'OPTIONS', 'PUT', 'POST', 'DELETE'], cookie: false }));
 
-  app.use(CertifyOrigin);
+  app.use('/_api', CertifyOrigin);
 
   // passport
   logger.debug('initialize Passport');

apps/app/src/server/middlewares/certify-origin.ts

@@ -15,8 +15,14 @@ type Apiv3ErrFunction = (error: ErrorV3) => void;
 const certifyOrigin = (req: AccessTokenParserReq, res: Response & { apiv3Err: Apiv3ErrFunction }, next: NextFunction): void => {
 
   const appSiteUrl = configManager.getConfig('app:siteUrl');
+  const configuredOrigin = appSiteUrl ? new URL(appSiteUrl).origin : null;
+  const requestOrigin = req.headers.origin;
+  const runtimeOrigin = `${req.protocol}://${req.get('host')}`;
+
+  const isSameOriginReq = requestOrigin == null
+  || requestOrigin === configuredOrigin
+  || requestOrigin === runtimeOrigin;
 
-  const isSameOriginReq = req.headers.origin == null || req.headers.origin === appSiteUrl;
   const accessToken = req.query.access_token ?? req.body.access_token;
 
   if (!isSameOriginReq && req.headers.origin != null && isSimpleRequest(req)) {