src/main.el

@@ -1167,7 +1167,11 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
     // would not be able to silently obtain the key to make authenticated calls.
     if str_eq(path, "/api/supabase-config") {
         let req_origin: String = map_get(headers, "origin")
-        let origin_ok: Bool = str_eq(req_origin, "")
+        // map_get returns 0 (null) when the header is absent — same-origin
+        // browser fetches don't send Origin at all. str_starts_with(null, "http")
+        // returns false, so !origin_present correctly passes no-origin requests.
+        let origin_present: Bool = str_starts_with(req_origin, "http")
+        let origin_ok: Bool = !origin_present
             || str_eq(req_origin, "https://neurontechnologies.ai")
             || str_eq(req_origin, "https://www.neurontechnologies.ai")
             || str_starts_with(req_origin, "http://localhost:")