From 77720365590f5cfde50335c0c251d3a06012b8d5 Mon Sep 17 00:00:00 2001
From: caryoscelus <caryoscelus@gmx.com>
Date: Fri, 5 Apr 2024 10:48:22 +0000
Subject: [PATCH] Fix some CORS/redirectering cases

---
 src/Ui/UiRequest.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 6e1d5e9e..70470dba 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -148,7 +148,7 @@ class UiRequest:
             return False
 
         # Deny cross site requests
-        if not self.isSameOrigin(referer, url) or not self.hasCorsPermission(referer):
+        if not self.isSameOrigin(referer, url) and not self.hasCorsPermission(referer):
             return True
 
         return False
@@ -165,7 +165,7 @@ class UiRequest:
         is_navigate = self.env.get('HTTP_SEC_FETCH_MODE') == 'navigate'
         is_iframe = self.env.get('HTTP_SEC_FETCH_DEST') == 'iframe'
 
-        if is_navigate and not is_iframe and self.is_data_request:
+        if ((is_navigate and not is_iframe) or not config.ui_check_cors) and self.is_data_request:
             host = self.getHostWithoutPort()
             path_info = self.env['PATH_INFO']
             query_string = self.env['QUERY_STRING']