Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 70e6aca113
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| function originAllowed(origin) { | ||
| if (!origin) return true; // non-browser / same-origin requests | ||
| if (CORS_ALLOW_ORIGINS.includes("*")) return true; | ||
| return CORS_ALLOW_ORIGINS.includes(origin); |
There was a problem hiding this comment.
Permit same-origin Origin headers by default
originAllowed only accepts requests with no Origin header or an explicit allowlist match, so with the default empty CORS_ALLOW_ORIGINS any request that includes Origin is rejected at middleware with 403. This breaks legitimate same-origin browser calls that still send Origin (commonly non-GET fetch/XHR), so a default deployment can fail browser traffic even when frontend and API share the same host.
Useful? React with 👍 / 👎.
Codex generated this pull request, but encountered an unexpected error after generation. This is a placeholder PR message.
Codex Task