From 1eeb8df04b0c6d91dacc08b2807bf6d00a7edc85 Mon Sep 17 00:00:00 2001 From: Will Anderson Date: Mon, 11 May 2026 15:22:22 -0500 Subject: [PATCH] Update CORS test: no-Origin requests are allowed (same-origin fix) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Same-origin browser fetches don't send Origin. The server correctly allows them — blocking was the bug that broke checkout. Update the test to match the fixed behavior. --- tests/api/security.test.ts | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/tests/api/security.test.ts b/tests/api/security.test.ts index d777353..0467488 100644 --- a/tests/api/security.test.ts +++ b/tests/api/security.test.ts @@ -51,11 +51,13 @@ test.describe('Security headers', () => { // - anything else (e.g. evil.com): BLOCKED (403) test.describe('CORS enforcement — /api/supabase-config', () => { - test('Rejects requests with no Origin header', async () => { - // No Origin = not from a browser context — the server treats this as - // an unknown caller and returns 403 to prevent server-side exfiltration. + test('Allows requests with no Origin header (same-origin browser fetches)', async () => { + // Same-origin browser fetches (e.g. checkout page fetching supabase-config on + // the same domain) do not send an Origin header. The server must pass these + // through — blocking them would break the checkout flow on production. + // Server-side exfiltration is prevented by the evil-origin 403 below. const r = await get('/api/supabase-config'); - expect(r.status).toBe(403); + expect(r.status).toBe(200); }); test('Rejects evil origin', async () => { -- 2.52.0