fix(pds): reflect requested CORS headers instead of a fixed allowlist

jphastings · jphastings · commit 4cd16af14b54 · 2026-06-02T09:21:39.000+02:00
My previous commit hand-listed allowed headers (to get Authorization working), but that quietly dropped others browsers need (accept-language, x-bsky-topics, etc). Omitting allowHeaders lets Hono echo the requested headers back, matching the [reference atproto PDS](https://github.com/bluesky-social/atproto/blob/7f5c4ceb0b6872cb921ba9c2fab8c38614414f6c/packages/pds/src/index.ts#L171) and covering anything future clients send.
diff --git a/.changeset/cors-authorization-header.md b/.changeset/cors-authorization-header.md
@@ -4,4 +4,4 @@
 
 Be explicit with CORS headers so browser-based authenticated XRPC calls work (particularly PDS Moover).
 
-The CORS middleware advertised `Access-Control-Allow-Headers: *`, but the Fetch spec calls out that `*` wildcard does not cover the `Authorization` header — browsers require it to be named explicitly. As a result, authed cross-origin requests from web clients (eg. PDS Moover's `com.pdsmoover.backup.getRepoStatus`) were blocked at preflight. As `*` can't be used with other headers, all allowed headers are now listed explicitly.
+The CORS middleware advertised `Access-Control-Allow-Headers: *`, but this didn't cover the `Authorization` header needed by tools like PDS Moover. As a result, authed cross-origin requests from web clients (eg. PDS Moover's `com.pdsmoover.backup.getRepoStatus`) were blocked at preflight. This is now resolved; all headers are reflected back, just like the Bluesky implementation.
diff --git a/packages/pds/src/index.ts b/packages/pds/src/index.ts
@@ -84,16 +84,12 @@ app.use(
 	cors({
 		origin: "*",
 		allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-		// `Authorization` must be listed explicitly: a `*` wildcard in
-		// Access-Control-Allow-Headers doesn't cover `Authorization`,
-		// so browsers block authed XRPC calls (e.g. PDS Moover).
-		allowHeaders: [
-			"Authorization",
-			"Content-Type",
-			"DPoP",
-			"atproto-proxy",
-			"atproto-accept-labelers",
-		],
+		// Omit allowHeaders: Hono reflects the browser's
+		// Access-Control-Request-Headers back, matching the reference
+		// atproto PDS (`cors({ maxAge })`). This allows Authorization
+		// (a `*` wildcard wouldn't), DPoP, atproto-proxy,
+		// atproto-accept-labelers, accept-language, x-bsky-topics and
+		// any future header automatically.
 		exposeHeaders: ["Content-Type"],
 		maxAge: 86400,
 	}),

Original file line number	Diff line number	Diff line change
`@@ -4,4 +4,4 @@`
`4`	`4`
`5`	`5`	`Be explicit with CORS headers so browser-based authenticated XRPC calls work (particularly PDS Moover).`
`6`	`6`
`7`		-The CORS middleware advertised `Access-Control-Allow-Headers: `, but the Fetch spec calls out that `` wildcard does not cover the `Authorization` header — browsers require it to be named explicitly. As a result, authed cross-origin requests from web clients (eg. PDS Moover's `com.pdsmoover.backup.getRepoStatus`) were blocked at preflight. As `*` can't be used with other headers, all allowed headers are now listed explicitly.
	`7`	+The CORS middleware advertised `Access-Control-Allow-Headers: *`, but this didn't cover the `Authorization` header needed by tools like PDS Moover. As a result, authed cross-origin requests from web clients (eg. PDS Moover's `com.pdsmoover.backup.getRepoStatus`) were blocked at preflight. This is now resolved; all headers are reflected back, just like the Bluesky implementation.