Fix supabase-config CORS: treat absent Origin as allowed #95

Merged

will.anderson merged 1 commits from fix/stage-ci-paths into dev

2026-05-11 18:30:47 +00:00

Author	SHA1	Message	Date
will.anderson	617916134f	Fix supabase-config CORS: treat absent Origin header as allowed Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m30s Details map_get returns null (0) for missing headers. str_eq(null, "") is false because EL_CSTR(0) is NULL != "". Same-origin browser fetches don't send Origin at all, so the missing-origin case was incorrectly being denied. Fix: use str_starts_with(req_origin, "http") to detect a present origin. If no origin header (null first arg → str_starts_with returns false), origin_present is false and the request is allowed unconditionally.	2026-05-11 13:30:22 -05:00

Author

SHA1

Message

Date

will.anderson

617916134f

Fix supabase-config CORS: treat absent Origin header as allowed

Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m30s

Details

map_get returns null (0) for missing headers. str_eq(null, "") is false
because EL_CSTR(0) is NULL != "". Same-origin browser fetches don't send
Origin at all, so the missing-origin case was incorrectly being denied.

Fix: use str_starts_with(req_origin, "http") to detect a present origin.
If no origin header (null first arg → str_starts_with returns false),
origin_present is false and the request is allowed unconditionally.

2026-05-11 13:30:22 -05:00

Fix supabase-config CORS: treat absent Origin as allowed #95

1 Commits