2026-05-11 18:31:04 +00:00
1 changed files with 5 additions and 1 deletions
@@ -1167,7 +1167,11 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
    // would not be able to silently obtain the key to make authenticated calls.
    if str_eq(path, "/api/supabase-config") {
        let req_origin: String = map_get(headers, "origin")
-        let origin_ok: Bool = str_eq(req_origin, "")
+        // map_get returns 0 (null) when the header is absent — same-origin
+        // browser fetches don't send Origin at all. str_starts_with(null, "http")
+        // returns false, so !origin_present correctly passes no-origin requests.
+        let origin_present: Bool = str_starts_with(req_origin, "http")
+        let origin_ok: Bool = !origin_present
            || str_eq(req_origin, "https://neurontechnologies.ai")
            || str_eq(req_origin, "https://www.neurontechnologies.ai")
            || str_starts_with(req_origin, "http://localhost:")