From 43a6c9ee471ffb267a57090fc0dceec599cf4e1b Mon Sep 17 00:00:00 2001
From: zhenhui <1276357500@qq.com>
Date: Mon, 30 Mar 2026 13:53:56 +0800
Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D=E8=B7=A8=E5=9F=9F=E6=8A=A5?=
 =?UTF-8?q?=E9=94=99?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 app/common/middleware/AllowCrossDomain.php | 26 +---------------------
 1 file changed, 1 insertion(+), 25 deletions(-)

diff --git a/app/common/middleware/AllowCrossDomain.php b/app/common/middleware/AllowCrossDomain.php
index ede3651..842e724 100644
--- a/app/common/middleware/AllowCrossDomain.php
+++ b/app/common/middleware/AllowCrossDomain.php
@@ -21,25 +21,6 @@ class AllowCrossDomain implements MiddlewareInterface
         'Access-Control-Allow-Headers'     => '*',
     ];
 
-    /**
-     * 读取预检请求中的 Access-Control-Request-Headers（经 CDN/反代时 Request 可能取不到，补读 $_SERVER）
-     */
-    private static function accessControlRequestHeaders(Request $request): string
-    {
-        $reqHeaders = $request->header('access-control-request-headers', '');
-        if (is_array($reqHeaders)) {
-            $reqHeaders = $reqHeaders[0] ?? '';
-        }
-        if (is_string($reqHeaders) && trim($reqHeaders) !== '') {
-            return trim($reqHeaders);
-        }
-        $fromServer = $_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] ?? '';
-        if (is_string($fromServer) && trim($fromServer) !== '') {
-            return trim($fromServer);
-        }
-        return '';
-    }
-
     /**
      * 返回 CORS 预检（OPTIONS）响应，供路由直接调用（Webman 未匹配路由时不走中间件）
      */
@@ -49,7 +30,7 @@ class AllowCrossDomain implements MiddlewareInterface
             'Access-Control-Allow-Credentials' => 'true',
             'Access-Control-Max-Age'            => '1800',
             'Access-Control-Allow-Methods'      => 'GET, POST, PUT, DELETE, PATCH, OPTIONS',
-            'Access-Control-Allow-Headers'      => 'Content-Type, Authorization, batoken, ba-user-token, think-lang, lang, server',
+            'Access-Control-Allow-Headers'      => 'Content-Type, Authorization, batoken, ba-user-token, think-lang, server',
         ];
         $origin = $request->header('origin');
         if (is_array($origin)) {
@@ -67,11 +48,6 @@ class AllowCrossDomain implements MiddlewareInterface
                 || ($host === 'localhost' || $host === '127.0.0.1');
             if ($allowed) {
                 $header['Access-Control-Allow-Origin'] = $origin;
-                // 回显浏览器在预检中声明的请求头，避免白名单遗漏导致 CORS 失败
-                $reqHeaders = self::accessControlRequestHeaders($request);
-                if ($reqHeaders !== '') {
-                    $header['Access-Control-Allow-Headers'] = $reqHeaders;
-                }
             }
         }
         return response('', 204, $header);