From f395f578eb741672c51d241665b39b6916d9fc44 Mon Sep 17 00:00:00 2001
From: Naomi Carrigan <commits@nhcarrigan.com>
Date: Sat, 5 Jul 2025 19:53:38 -0700
Subject: [PATCH] fix: get a little hacky with the origin maybe?

---
 server/src/hooks/cors.ts | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/server/src/hooks/cors.ts b/server/src/hooks/cors.ts
index 6e623f7..6b0c5d8 100644
--- a/server/src/hooks/cors.ts
+++ b/server/src/hooks/cors.ts
@@ -31,7 +31,16 @@ export const corsHook: onRequestHookHandler = async(request, response) => {
   if (routesWithoutCors.includes(request.url)) {
     return undefined;
   }
-  if (!isValidOrigin(request.headers.origin)) {
+  const { origin } = request.headers;
+  const { host } = request.headers;
+  const { referer } = request.headers;
+
+  const isSameOriginSafe
+  = origin === undefined
+  && host === "hikari.nhcarrigan.com"
+  && referer?.startsWith("https://hikari.nhcarrigan.com");
+
+  if (!isValidOrigin(origin) && isSameOriginSafe !== true) {
     return await response.status(403).send({
       error: