will.anderson
617916134f
Dev — Build & local smoke test / build-smoke (pull_request) Successful in 1m30s
map_get returns null (0) for missing headers. str_eq(null, "") is false because EL_CSTR(0) is NULL != "". Same-origin browser fetches don't send Origin at all, so the missing-origin case was incorrectly being denied. Fix: use str_starts_with(req_origin, "http") to detect a present origin. If no origin header (null first arg → str_starts_with returns false), origin_present is false and the request is allowed unconditionally.