From fbb4cf61240b65bda9de3dcb1fb99c52ac127db5 Mon Sep 17 00:00:00 2001
From: Damien Elmes <gpg@ankiweb.net>
Date: Wed, 16 Apr 2025 22:11:11 +1000
Subject: [PATCH] Avoid sending API key for remote resources

Thanks to Abdo for the report
---
 qt/aqt/webview.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/qt/aqt/webview.py b/qt/aqt/webview.py
index a6619811d..c83eec41f 100644
--- a/qt/aqt/webview.py
+++ b/qt/aqt/webview.py
@@ -69,7 +69,7 @@ class AuthInterceptor(QWebEngineUrlRequestInterceptor):
     def interceptRequest(self, info):
         from aqt.mediasrv import _APIKEY
 
-        if self._api_enabled:
+        if self._api_enabled and info.requestUrl().host() == "127.0.0.1":
             info.setHttpHeader(b"Authorization", f"Bearer {_APIKEY}".encode("utf-8"))