Fix CORSMiddleware to return explicit origin for Authorization header#3127
Closed
KeepALifeUS wants to merge 1 commit intoKludex:mainfrom
Closed
Fix CORSMiddleware to return explicit origin for Authorization header#3127KeepALifeUS wants to merge 1 commit intoKludex:mainfrom
KeepALifeUS wants to merge 1 commit intoKludex:mainfrom
Conversation
When using `allow_origins=["*"]`, the middleware now correctly returns the specific origin instead of "*" when the request includes an Authorization header, matching the existing behavior for Cookie headers. This fixes a CORS issue where browsers would reject responses for authenticated requests using Authorization header because "*" is not a valid Access-Control-Allow-Origin value for credentialed requests. Fixes Kludex#1832 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Owner
|
I've merged #3137 instead, but thank you for the PR! :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
allow_origins=["*"], the middleware now correctly returns the specific origin instead of"*"when the request includes anAuthorizationheaderCookieheaders (line 164-169)Changes
"authorization" in request_headersalongside the existing cookie checktest_cors_authorization_header_returns_specific_originthat verifies the fixBackground
Per the CORS specification, wildcard
*origin is not valid for credentialed requests. The middleware already handled this for requests with cookies, but was missing the case whenAuthorizationheader is present. Token-based authentication (Bearer tokens, etc.) is widely used and requires the same handling.Test plan
🤖 Generated with Claude Code