Maison-Retail-Management-International tightens who's allowed to call its backend
A small security change hardens how the fork's server decides which website it will accept requests from - and guards against a config slip that silently breaks everything.
Browsers enforce a rule about which website is allowed to talk to a given server. This fork rewrote that check so the server now compares incoming requests against its one approved address and rejects anything else, while still permitting the behind-the-scenes calls that don't come from a browser.
The more interesting part is a guard against a classic deployment trap: if the approved address is entered with a stray slash on the end, the old comparison would quietly fail and block every request - with nothing in the config looking wrong. The team strips that slash automatically and prints the approved address on startup, so a misconfiguration shows up immediately instead of after a baffling outage.
Spotted something wrong? Or know the PR text has fresher detail than the writeup above?