CVE-2024-1727 Information

Description

To prevent malicious 3rd party websites from making requests to Gradio applications running locally this PR tightens the CORS rules around Gradio applications. In particular it checks to see if the host header is localhost (or one of its aliases) and if so it requires the origin header (if present) to be localhost (or one of its aliases) as well.

Reference

https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a