From e00a37cd0065a00b2239a0f7a4cd457f5297a46a Mon Sep 17 00:00:00 2001
From: Peng Xiao <pengxiao@outlook.com>
Date: Wed, 25 Jun 2025 14:51:40 +0800
Subject: [PATCH] fix(electron): embeded youtube videos not playable (#12892)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#### PR Dependency Tree


* **PR #12892** 👈

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Bug Fixes**
- Improved handling of CORS headers to ensure they are only removed for
responses from non-whitelisted domains, enhancing compatibility with
certain sites.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->


#### PR Dependency Tree


* **PR #12892** 👈
  * **PR #12895**

This tree was auto-generated by
[Charcoal](https://github.com/danerwilliams/charcoal)
---
 .../apps/electron/src/main/protocol.ts        | 20 ++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/packages/frontend/apps/electron/src/main/protocol.ts b/packages/frontend/apps/electron/src/main/protocol.ts
index edc1749157..7b55c1fb0f 100644
--- a/packages/frontend/apps/electron/src/main/protocol.ts
+++ b/packages/frontend/apps/electron/src/main/protocol.ts
@@ -97,6 +97,13 @@ async function handleFileRequest(request: Request) {
   return net.fetch(pathToFileURL(filepath).toString(), clonedRequest);
 }
 
+// whitelist for cors
+// url patterns that are allowed to have cors headers
+const corsWhitelist = [
+  /^(?:[a-zA-Z0-9-]+\.)*googlevideo\.com$/,
+  /^(?:[a-zA-Z0-9-]+\.)*youtube\.com$/,
+];
+
 export function registerProtocol() {
   protocol.handle('file', request => {
     return handleFileRequest(request);
@@ -108,7 +115,7 @@ export function registerProtocol() {
 
   session.defaultSession.webRequest.onHeadersReceived(
     (responseDetails, callback) => {
-      const { responseHeaders } = responseDetails;
+      const { responseHeaders, url } = responseDetails;
       (async () => {
         if (responseHeaders) {
           const originalCookie =
@@ -146,10 +153,13 @@ export function registerProtocol() {
             }
           }
 
-          delete responseHeaders['access-control-allow-origin'];
-          delete responseHeaders['access-control-allow-headers'];
-          delete responseHeaders['Access-Control-Allow-Origin'];
-          delete responseHeaders['Access-Control-Allow-Headers'];
+          const hostname = new URL(url).hostname;
+          if (!corsWhitelist.some(domainRegex => domainRegex.test(hostname))) {
+            delete responseHeaders['access-control-allow-origin'];
+            delete responseHeaders['access-control-allow-headers'];
+            delete responseHeaders['Access-Control-Allow-Origin'];
+            delete responseHeaders['Access-Control-Allow-Headers'];
+          }
         }
       })()
         .catch(err => {