Fix supabase-config CORS: treat absent Origin as allowed #95

Merged

will.anderson merged 1 commits from fix/stage-ci-paths into dev 2026-05-11 18:30:47 +00:00

Conversation 0 Commits 1 Files Changed 1

+5 -1

will.anderson commented 2026-05-11 18:30:33 +00:00

Owner

Copy Link

Copy Source

map_get returns null for missing headers. str_eq(null, "") is false, so same-origin browser fetches (which send no Origin) were denied. Fix: check str_starts_with(origin, "http") to detect a present origin; absent origin passes unconditionally.

map_get returns null for missing headers. str_eq(null, "") is false, so same-origin browser fetches (which send no Origin) were denied. Fix: check str_starts_with(origin, "http") to detect a present origin; absent origin passes unconditionally.

will.anderson added 1 commit 2026-05-11 18:30:35 +00:00

Fix supabase-config CORS: treat absent Origin header as allowed ... 617916134f

map_get returns null (0) for missing headers. str_eq(null, "") is false
because EL_CSTR(0) is NULL != "". Same-origin browser fetches don't send
Origin at all, so the missing-origin case was incorrectly being denied.

Fix: use str_starts_with(req_origin, "http") to detect a present origin.
If no origin header (null first arg → str_starts_with returns false),
origin_present is false and the request is allowed unconditionally.

will.anderson merged commit dd5fd2b3ce into dev 2026-05-11 18:30:47 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No labels

Milestone

No items

No Milestone

Projects

Clear projects

No projects

Assignees

Clear assignees

tim.lingo (Tim Lingo) will.anderson (Will Anderson)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: neuron-technologies/neuron-web#95