Skip to content

Enforce configured CORS origins#237

Merged
coder13 merged 1 commit into
devfrom
agent/cors-allowlist
Jul 14, 2026
Merged

Enforce configured CORS origins#237
coder13 merged 1 commit into
devfrom
agent/cors-allowlist

Conversation

@coder13

@coder13 coder13 commented Jul 14, 2026

Copy link
Copy Markdown
Owner

Summary

  • replace permissive credentialed CORS handling with the configured origin allowlist
  • allow exact CORS_ORIGINS entries only
  • cover allowed, rejected, and no-Origin requests with focused tests

Why

The server previously reflected every caller origin while allowing credentials. That allowed any website to make credentialed cross-origin requests.

User impact

Configured production and local development origins continue to work. Unconfigured cross-origin callers no longer receive CORS permission. No email-related behavior is added or changed.

Validation

  • focused CORS middleware tests
  • server lint
  • commit hook: full workspace lint and tests (209 server, 97 client, 22 scramble tests)
  • git diff check

Closes #236.

Use the explicit CORS origin configuration for credentialed browser requests and reject unconfigured cross-origin callers.
@coder13
coder13 force-pushed the agent/cors-allowlist branch from 6ffdc72 to b59d5a9 Compare July 14, 2026 03:32
@coder13
coder13 marked this pull request as ready for review July 14, 2026 03:34
@coder13
coder13 merged commit 5c0a0c3 into dev Jul 14, 2026
9 checks passed
@coder13
coder13 deleted the agent/cors-allowlist branch July 14, 2026 03:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant