From 3af45c14622c65e5b815b1ae4399c96d32f3a737 Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Thu, 14 May 2026 23:37:25 +0200 Subject: [PATCH] fix: Add base-path meta tag for Cloudflare Rocket Loader compatibility When Cloudflare Rocket Loader is enabled, it interferes with inline scripts that set window.X_UI_BASE_PATH, causing the frontend to fail to configure the correct base URL for API calls. This results in 404 errors on the login page when calling /getTwoFactorEnable. Solution: Add meta name='base-path' tag to HTML (similar to csrf-token), update axios initialization to read from meta tag as fallback. Meta tags are not affected by CSP or Rocket Loader delays. Fixes #4393 --- frontend/src/api/axios-init.js | 7 ++++++- web/controller/dist.go | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/frontend/src/api/axios-init.js b/frontend/src/api/axios-init.js index 2ea235c5..3055e883 100644 --- a/frontend/src/api/axios-init.js +++ b/frontend/src/api/axios-init.js @@ -51,7 +51,12 @@ export function setupAxios() { axios.defaults.headers.post['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'; axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'; - const basePath = window.X_UI_BASE_PATH; + // Read base path from window object or fallback to meta tag (for Cloudflare Rocket Loader compatibility) + let basePath = window.X_UI_BASE_PATH; + if (!basePath) { + const metaTag = document.querySelector('meta[name="base-path"]'); + basePath = metaTag ? metaTag.getAttribute('content') : null; + } if (typeof basePath === 'string' && basePath !== '' && basePath !== '/') { axios.defaults.baseURL = basePath; } diff --git a/web/controller/dist.go b/web/controller/dist.go index fd1b35a9..682f0024 100644 --- a/web/controller/dist.go +++ b/web/controller/dist.go @@ -56,6 +56,7 @@ func serveDistPage(c *gin.Context, name string) { csrfToken = "" } csrfMeta := []byte(``) + basePathMeta := []byte(``) nonceAttr := "" if nonce := c.GetString("csp_nonce"); nonce != "" { @@ -69,6 +70,7 @@ func serveDistPage(c *gin.Context, name string) { script += `;` inject := []byte(script) inject = append(inject, csrfMeta...) + inject = append(inject, basePathMeta...) inject = append(inject, []byte(``)...) out := bytes.Replace(body, []byte(""), inject, 1)