Skip to content

fix: omit CORS allow headers for disallowed origins#20

Merged
ruoka merged 1 commit into
masterfrom
fix/cors-omit-disallowed-origin
Jul 18, 2026
Merged

fix: omit CORS allow headers for disallowed origins#20
ruoka merged 1 commit into
masterfrom
fix/cors-omit-disallowed-origin

Conversation

@ruoka

@ruoka ruoka commented Jul 18, 2026

Copy link
Copy Markdown
Owner

Summary

  • Stop falling back to Access-Control-Allow-Origin: * when Origin is missing or rejected by the allowlist validator.
  • Reflect the request Origin (and related Allow-* / credentials headers) only when the origin is permitted.
  • Update middleware tests to assert ACAO is omitted on deny / no-Origin.

Test plan

  • ./tools/CB.sh debug test --jsonl=failures --tags='\[net\]' (427/427)
  • Review CORS preflight path for disallowed origins

Made with Cursor

Access-Control-Allow-Origin must not fall back to "*" when Origin is
missing or rejected by the allowlist; browsers treat that as open CORS.
Reflect the request Origin only when the validator permits it.

Co-authored-by: Cursor <cursoragent@cursor.com>
@ruoka
ruoka merged commit 8efa065 into master Jul 18, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant