dev → stage: fix supabase-config null-origin CORS bug #96

Merged

will.anderson merged 2 commits from dev into stage 2026-05-11 18:31:04 +00:00

Conversation 0 Commits 2 Files Changed 1

+5 -1

will.anderson commented 2026-05-11 18:30:50 +00:00

Owner

Copy Link

Copy Source

Same-origin browser fetches don't send Origin header. map_get returns null, str_eq(null, '') is false, endpoint was 403ing all same-origin checkout page loads. Fix uses str_starts_with to detect a present origin instead.

Same-origin browser fetches don't send Origin header. map_get returns null, str_eq(null, '') is false, endpoint was 403ing all same-origin checkout page loads. Fix uses str_starts_with to detect a present origin instead.

will.anderson added 2 commits 2026-05-11 18:30:52 +00:00

Fix supabase-config CORS: treat absent Origin header as allowed ... 617916134f

map_get returns null (0) for missing headers. str_eq(null, "") is false
because EL_CSTR(0) is NULL != "". Same-origin browser fetches don't send
Origin at all, so the missing-origin case was incorrectly being denied.

Fix: use str_starts_with(req_origin, "http") to detect a present origin.
If no origin header (null first arg → str_starts_with returns false),
origin_present is false and the request is allowed unconditionally.

Merge pull request 'Fix supabase-config CORS: treat absent Origin as allowed' (#95) from fix/stage-ci-paths into dev ... dd5fd2b3ce

Merge PR #95

will.anderson merged commit a59fdf4baa into stage 2026-05-11 18:31:04 +00:00

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No labels

Milestone

No items

No Milestone

Projects

Clear projects

No projects

Assignees

Clear assignees

tim.lingo (Tim Lingo) will.anderson (Will Anderson)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: neuron-technologies/neuron-web#96