Skip to content

fix(security): strip wildcard CORS origin when credentials are enabled#1366

Draft
glitch-ux wants to merge 1 commit into
SolaceLabs:mainfrom
glitch-ux:fix/cors-wildcard-credentials
Draft

fix(security): strip wildcard CORS origin when credentials are enabled#1366
glitch-ux wants to merge 1 commit into
SolaceLabs:mainfrom
glitch-ux:fix/cors-wildcard-credentials

Conversation

@glitch-ux

Copy link
Copy Markdown

Summary

CORS is configured with allow_credentials=True across the WebUI Gateway and Platform Service. When allow_origins contains "*", Starlette's CORSMiddleware reflects the request's Origin header in the response — effectively allowing any website to make authenticated cross-origin requests (session cookies, tokens). This is CWE-942.

This PR:

  • Detects and strips "*" from allow_origins at middleware setup time in both the WebUI Gateway and Platform Service, with a clear warning log explaining the issue and how to suppress it
  • Auto-constructs safe localhost origins from the component's configured host/port when no origins remain (matching the existing Platform Service auto-construction pattern)
  • Changes the code default for cors_allowed_origins from ["*"] to [] — YAML templates already set explicit origins (http://localhost:3000, etc.), so this only affects unconfigured deployments
  • Updates the webhook gateway example to use explicit origins instead of "*"
  • Adds 8 new unit tests covering wildcard stripping, auto-construction (HTTP + HTTPS), and pass-through of explicit origins
  • Updates test factories to use explicit origins instead of wildcard

Files changed

File Change
src/.../gateway/http_sse/main.py Wildcard detection + auto-construction in _setup_middleware
src/.../services/platform/api/main.py Wildcard detection in _setup_middleware
src/.../gateway/http_sse/component.py Default ["*"][]
src/.../services/platform/component.py Default ["*"][]
src/.../gateway/http_sse/app.py Schema default + description
src/.../services/platform/app.py Schema default + description
examples/gateways/webhook_gateway_example.yaml Explicit origin in example
tests/unit/.../test_http_sse_main.py 6 new tests for WebUI CORS handling
tests/unit/.../test_cors_auto_construction.py 2 new tests for Platform CORS handling
3 test infrastructure files Updated mock origins

Backward compatibility

  • Deployments using sam init (YAML templates) are unaffected — templates already set explicit origins
  • Deployments with explicit cors_allowed_origins config are unaffected
  • Deployments relying on the ["*"] code default will now get auto-constructed localhost origins instead, with a warning log. This is a security improvement, not a regression

Test plan

  • 6 new WebUI CORS tests pass (TestCORSWildcardHandling)
  • 2 new Platform CORS tests pass
  • All 13 existing Platform CORS auto-construction tests still pass
  • All existing WebUI main tests still pass
  • Manual: run sam init && sam run and verify the Web UI at http://localhost:8000 works (CORS headers should show the auto-constructed origin, not *)
  • Manual: set cors_allowed_origins: ["*"] in webui.yaml and verify the warning log appears at startup

Starlette's CORSMiddleware with allow_origins=["*"] and
allow_credentials=True reflects the request's Origin header in the
response, allowing any website to make authenticated cross-origin
requests. This is a well-known CORS misconfiguration (CWE-942).

Changes:
- WebUI Gateway and Platform Service: detect '*' in allowed origins at
  middleware setup time, log a security warning, and remove it.
- When no origins remain after stripping, auto-construct safe localhost
  origins from the component's configured host/port (matching the
  existing platform service auto-construction pattern).
- Change the code-level default for cors_allowed_origins from ["*"] to
  [] in both components and their app config schemas. YAML templates
  already set explicit origins, so this only affects unconfigured
  deployments.
- Update webhook gateway example to use explicit origins.
- Add 8 new unit tests covering wildcard stripping, auto-construction,
  HTTPS detection, and pass-through of explicit origins.
- Update test factories and assertions to use explicit origins.

Signed-off-by: José Maia <glitch-ux@users.noreply.github.com>
@glitch-ux glitch-ux marked this pull request as draft April 10, 2026 00:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant