Skip to content

[codex] Validate CORS allowlist origins#224

Open
pq198363-ops wants to merge 1 commit into
Agentpay-Org:mainfrom
pq198363-ops:bounty-97-cors-allowlist
Open

[codex] Validate CORS allowlist origins#224
pq198363-ops wants to merge 1 commit into
Agentpay-Org:mainfrom
pq198363-ops:bounty-97-cors-allowlist

Conversation

@pq198363-ops

Copy link
Copy Markdown

Closes #97

Summary

  • Parse CORS_ALLOWED_ORIGINS into normalized http(s)://host[:port] origins.
  • Trim whitespace, lowercase scheme/host, and accept trailing-slash origin entries.
  • Skip malformed entries with a startup warning instead of reflecting surprising values.
  • Reject wildcard * configuration at startup so deployments list trusted origins explicitly.
  • Keep Vary: Origin on Origin-bearing requests and never reflect unlisted origins.
  • Document the CORS configuration rules and wildcard stance in the README.

Threat model

The server should only reflect origins that normalize to an explicit configured allowlist entry. A hostile Origin header, malformed config entry, or wildcard misconfiguration should not create arbitrary origin reflection or an unsafe wildcard/credentials posture.

RED/GREEN evidence

  • RED: focused CORS tests failed on current main because trailing-slash/case-normalized origins did not match, unlisted origins lacked Vary: Origin, malformed entries were not logged, and wildcard config did not fail startup.
  • GREEN: focused CORS tests pass after implementation.

Verification

  • npm run build passed.
  • $env:NODE_ENV='test'; node --test dist/cors.test.js passed 4 tests.
  • npx prettier --check README.md src/middleware/index.ts src/cors.test.ts passed.
  • npm run lint passed.
  • Cleaned dist/, rebuilt with npm run build, then $env:NODE_ENV='test'; node --test dist/*.test.js dist/**/*.test.js passed 93 tests across 11 suites.
  • git diff --cached --check passed before commit.

Note: npm test uses POSIX-style NODE_ENV=test, so on Windows PowerShell I used the equivalent $env:NODE_ENV='test'; node --test ... commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Validate and normalize the CORS origin allowlist and reject wildcard misconfiguration

1 participant