neuron-technologies/neuron-web
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Update CORS test: no-Origin requests are allowed #104

Merged
will.anderson merged 2 commits from dev into stage 2026-05-11 20:22:41 +00:00
Conversation 0 Commits 2 Files Changed 1
+6 -4
1 changed files with 6 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/api/security.test.ts
+6 -4
View File
@@ -51,11 +51,13 @@ test.describe('Security headers', () => {
// - anything else (e.g. evil.com): BLOCKED (403)
test.describe('CORS enforcement — /api/supabase-config', () => {
test('Rejects requests with no Origin header', async () => {
// No Origin = not from a browser context — the server treats this as
// an unknown caller and returns 403 to prevent server-side exfiltration.
test('Allows requests with no Origin header (same-origin browser fetches)', async () => {
// Same-origin browser fetches (e.g. checkout page fetching supabase-config on
// the same domain) do not send an Origin header. The server must pass these
// through — blocking them would break the checkout flow on production.
// Server-side exfiltration is prevented by the evil-origin 403 below.
const r = await get('/api/supabase-config');
expect(r.status).toBe(403);
expect(r.status).toBe(200);
});
test('Rejects evil origin', async () => {