fix: invalid CORS header combo blocks SPA load#385
Merged
Conversation
✅ Deploy Preview for nebi-docs canceled.
|
corsMiddleware set both Access-Control-Allow-Origin: * and Access-Control-Allow-Credentials: true. That pairing is invalid per the CORS spec, so browsers reject the response. Behind a gateway this blocks the SPA's <script type="module" crossorigin> bundle from loading, leaving users in a /login reload loop. The API is reached with a bearer Authorization header (CLI and same-origin SPA), never cross-origin cookies, so the credentials header is unneeded. Remove it and keep the wildcard origin. Test drives the real NewRouter (real CORS wiring + embedded-SPA static handler) and asserts the invalid combo is gone.
ef1b582 to
252e03e
Compare
viniciusdc
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #384.
corsMiddlewareset bothAccess-Control-Allow-Origin: *andAccess-Control-Allow-Credentials: true. That combination is invalid per the CORS spec, so browsers reject the response. Behind a gateway this blocks the SPA's<script type="module" crossorigin>bundle from loading, leaving users in a/loginreload loop.The API is reached with a bearer
Authorizationheader (CLI and same-origin SPA), never cross-origin cookies, so the credentials header buys nothing. Removed it; kept the wildcard origin.*without credentials is safe here: a cross-origin browser request defaults to no-credentials, so the OIDC IdToken cookie is never sent and only unauthenticated endpoints are reachable cross-origin.Test drives the real
NewRouter(real CORS wiring + embedded-SPA static handler) and asserts the invalid combo is gone; verified it fails on the old behavior.The
Cache-Control: no-storeon static assets noted in the issue is left for a separate change.