feat: Restrict CORS origin to public_base_url if set

Co-authored-by: aider (gemini/gemini-2.5-pro) <aider@aider.chat>

app/app.py

@@ -41,16 +41,20 @@ from app.config import Settings, load_settings
 
 # ---- App & static ----
 app = FastAPI(title="Immich Drop Uploader (Python)")
+# Global settings (read-only at runtime)
+SETTINGS: Settings = load_settings()
+
+# CORS
+origins = ["*"]
+if SETTINGS.public_base_url:
+    origins = [SETTINGS.public_base_url.strip().rstrip('/')]
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],
 )
-
-# Global settings (read-only at runtime)
-SETTINGS: Settings = load_settings()
 _public_uploads_enabled_runtime = SETTINGS.public_upload_page_enabled