From 1f91f6fceeca8687713064e7527f123e72ab5dc9 Mon Sep 17 00:00:00 2001 From: QLHazyCoder <2825305047@qq.com> Date: Sat, 11 Apr 2026 16:44:09 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E6=9B=B4=E6=96=B0=20OAuth=20=E5=9B=9E?= =?UTF-8?q?=E8=B0=83=E5=9C=B0=E5=9D=80=E9=AA=8C=E8=AF=81=EF=BC=8C=E6=94=AF?= =?UTF-8?q?=E6=8C=81=20127.0.0.1=20=E5=92=8C=20localhost?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 4 ++-- background.js | 2 +- content/vps-panel.js | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 8c8ac02..b3c01da 100644 --- a/README.md +++ b/README.md @@ -274,7 +274,7 @@ Step 3 使用的注册邮箱。 严格回调捕获规则: -- 步骤 8 现在只接受 `http(s)://localhost:/auth/callback?code=...&state=...` +- 步骤 8 现在只接受 `http(s)://localhost:/auth/callback?code=...&state=...` 或 `http(s)://127.0.0.1:/auth/callback?code=...&state=...` - 监听范围只限于当前 OAuth 认证标签页的主 frame 跳转 - 普通 `localhost` 页面,包括本地部署的 CPA 面板,不会再被误判为回调地址 @@ -297,7 +297,7 @@ Step 3 使用的注册邮箱。 校验规则: -- 步骤 9 会拒绝任何不是真实 `/auth/callback`,或缺少 `code` / `state` 的 `localhostUrl` +- 步骤 9 会拒绝任何不是真实 `/auth/callback`,或缺少 `code` / `state` 的本地回调地址 - 成功后的清理只会针对 `/auth` 这一类真实回调标签页,不会再泛化清理任意 localhost 路径 回到 CPA 面板: diff --git a/background.js b/background.js index 125b3a7..61101c9 100644 --- a/background.js +++ b/background.js @@ -233,7 +233,7 @@ function isLocalhostOAuthCallbackUrl(rawUrl) { const parsed = parseUrlSafely(rawUrl); if (!parsed) return false; if (!['http:', 'https:'].includes(parsed.protocol)) return false; - if (parsed.hostname !== 'localhost') return false; + if (!['localhost', '127.0.0.1'].includes(parsed.hostname)) return false; if (parsed.pathname !== '/auth/callback') return false; const code = (parsed.searchParams.get('code') || '').trim(); diff --git a/content/vps-panel.js b/content/vps-panel.js index 85c8fcb..0361931 100644 --- a/content/vps-panel.js +++ b/content/vps-panel.js @@ -97,7 +97,7 @@ function isLocalhostOAuthCallbackUrl(rawUrl) { const parsed = parseUrlSafely(rawUrl); if (!parsed) return false; if (!['http:', 'https:'].includes(parsed.protocol)) return false; - if (parsed.hostname !== 'localhost') return false; + if (!['localhost', '127.0.0.1'].includes(parsed.hostname)) return false; if (parsed.pathname !== '/auth/callback') return false; const code = (parsed.searchParams.get('code') || '').trim();