From b78ed44730486def4f7e4444f8842bdd8f837bb2 Mon Sep 17 00:00:00 2001
From: orangix <uleo8b8g@anonaddy.me>
Date: Sun, 25 Jan 2026 07:21:17 +0100
Subject: [PATCH] allow external origin to access media files

---
 pages/media.go  | 3 +++
 utils/config.go | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/pages/media.go b/pages/media.go
index e327811..9aff311 100644
--- a/pages/media.go
+++ b/pages/media.go
@@ -35,6 +35,9 @@ func HandleUserAvatar(w http.ResponseWriter, r *http.Request) error {
 
 func handleMedia(w http.ResponseWriter, r *http.Request, url string) error {
 	utils.SetHeaders(w)
+	if !utils.Config.RestrictiveCORS {
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+	}
 	path := r.URL.Path
 
 	if utils.Config.ForceWebp &&
diff --git a/utils/config.go b/utils/config.go
index 096e68a..fce5db4 100644
--- a/utils/config.go
+++ b/utils/config.go
@@ -12,6 +12,7 @@ type config struct {
 	ProtocolDetection bool
 	Secure            bool
 	ForceWebp         bool
+	RestrictiveCORS   bool
 	ImageCache        bool
 	CleanupInterval   time.Duration
 	CacheDir          string
@@ -39,6 +40,7 @@ func LoadConfig() {
 		ProtocolDetection: envBool("PROTOCOL_DETECTION"),
 		Secure:            envBool("SECURE"),
 		ForceWebp:         envBool("FORCE_WEBP"),
+		RestrictiveCORS:   envBool("RESTRICTIVE_CORS"),
 		Privacy: map[string]interface{}{
 			"set":           os.Getenv("PRIVACY_NOT_COLLECTED") != "",
 			"policy":        os.Getenv("PRIVACY_POLICY"),