Alex-Devera/3x-ui
1
0
Fork 0
mirror of https://github.com/MHSanaei/3x-ui.git synced 2026-05-18 12:05:53 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix: Add base-path meta tag for Cloudflare Rocket Loader compatibility
Some checks are pending
CI / go-test (push) Waiting to run
Details
CI / govulncheck (push) Waiting to run
Details
CI / frontend (push) Waiting to run
Details
CodeQL Advanced / Analyze (go) (push) Waiting to run
Details
CodeQL Advanced / Analyze (actions) (push) Waiting to run
Details
CodeQL Advanced / Analyze (javascript-typescript) (push) Waiting to run
Details
Release 3X-UI / build (386) (push) Waiting to run
Details
Release 3X-UI / build (amd64) (push) Waiting to run
Details
Release 3X-UI / build (arm64) (push) Waiting to run
Details
Release 3X-UI / build (armv5) (push) Waiting to run
Details
Release 3X-UI / build (armv6) (push) Waiting to run
Details
Release 3X-UI / build (armv7) (push) Waiting to run
Details
Release 3X-UI / build (s390x) (push) Waiting to run
Details
Release 3X-UI / Build for Windows (push) Waiting to run
Details

Browse source 
When Cloudflare Rocket Loader is enabled, it interferes with inline scripts that set window.X_UI_BASE_PATH, causing the frontend to fail to configure the correct base URL for API calls. This results in 404 errors on the login page when calling /getTwoFactorEnable.

Solution: Add meta name='base-path' tag to HTML (similar to csrf-token), update axios initialization to read from meta tag as fallback. Meta tags are not affected by CSP or Rocket Loader delays.

Fixes #4393
This commit is contained in:
MHSanaei 2026-05-14 23:37:25 +02:00
parent 6badd829df
commit 3af45c1462
No known key found for this signature in database
GPG key ID: 7E4060F2FBE5AB7A
2 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
frontend/src/api/axios-init.js
View file

@ -51,7 +51,12 @@ export function setupAxios() {
axios.defaults.headers.post['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8'; axios.defaults.headers.post['Content-Type'] = 'application/x-www-form-urlencoded; charset=UTF-8';
axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest'; axios.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
const basePath = window.X_UI_BASE_PATH; // Read base path from window object or fallback to meta tag (for Cloudflare Rocket Loader compatibility)
let basePath = window.X_UI_BASE_PATH;
if (!basePath) {
const metaTag = document.querySelector('meta[name="base-path"]');
basePath = metaTag ? metaTag.getAttribute('content') : null;
}
if (typeof basePath === 'string' && basePath !== '' && basePath !== '/') { if (typeof basePath === 'string' && basePath !== '' && basePath !== '/') {
axios.defaults.baseURL = basePath; axios.defaults.baseURL = basePath;
} }

2
web/controller/dist.go
View file

@ -56,6 +56,7 @@ func serveDistPage(c *gin.Context, name string) {
csrfToken = "" csrfToken = ""
} }
csrfMeta := []byte(`<meta name="csrf-token" content="` + htmlpkg.EscapeString(csrfToken) + `">`) csrfMeta := []byte(`<meta name="csrf-token" content="` + htmlpkg.EscapeString(csrfToken) + `">`)
basePathMeta := []byte(`<meta name="base-path" content="` + htmlpkg.EscapeString(basePath) + `">`)
nonceAttr := "" nonceAttr := ""
if nonce := c.GetString("csp_nonce"); nonce != "" { if nonce := c.GetString("csp_nonce"); nonce != "" {
@ -69,6 +70,7 @@ func serveDistPage(c *gin.Context, name string) {
script += `;</script>` script += `;</script>`
inject := []byte(script) inject := []byte(script)
inject = append(inject, csrfMeta...) inject = append(inject, csrfMeta...)
inject = append(inject, basePathMeta...)
inject = append(inject, []byte(`</head>`)...) inject = append(inject, []byte(`</head>`)...)
out := bytes.Replace(body, []byte("</head>"), inject, 1) out := bytes.Replace(body, []byte("</head>"), inject, 1)