Skip to content

fix: Unify CORS Response Headers#230

Merged
andreituicu merged 3 commits into
mainfrom
cors-unify
Jun 15, 2026
Merged

fix: Unify CORS Response Headers#230
andreituicu merged 3 commits into
mainfrom
cors-unify

Conversation

@andreituicu

@andreituicu andreituicu commented Jun 10, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Description

Unify CORS header handling in responses:

  1. Trusted Origins receive:
    1.1 access-control-allow-origin: <caller_origin> reflected
    1.2 access-control-allow-credentials: true
  2. Everyone else
    2.1 access-control-allow-origin: *
    2.2 No access-control-allow-credentials -> can't send fetch requests with cookies

Related Issue

Motivation and Context

  1. UE hosted in experience.adobe.com is switching to service workers and was getting inconsistent CORS responses, when trying to use the cookies.
  2. The sprinkled CORS header handling was making it very difficult to troubleshoot CORS issues and slowed down development a lot in the past weeks, during hackathons.

How Has This Been Tested?

Unit tests.

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

  • I have signed the Adobe Open Source CLA.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have read the CONTRIBUTING document.
  • I have added tests to cover my changes.
  • All new and existing tests passed.

Additionally, a security review from Claude to double check my thinking:

Area Before After Risk
AEM proxy — trusted origin *, no credentials Mirrored origin + credentials Minor: extends trusted-origin XSS attack surface to proxy responses (pre-existing risk on OPTIONS/cookie)
DA admin non-HTML GET + POST — trusted origin No CORS headers Mirrored origin + credentials Intentional — trusted origins can now read these responses authenticated
DA admin non-HTML GET + POST — untrusted origin No CORS headers *, no credentials Untrusted callers can now read 401 error bodies cross-origin — not sensitive
OPTIONS preflight — untrusted origin 403 + * 403 + * No change
Cookie endpoint (/gimme_cookie) Mirrored origin + credentials Mirrored origin + credentials No change
Access-Control-Allow-Methods/Headers on non-OPTIONS Not present Present No impact — browsers ignore these on non-preflight responses

lkrapf
lkrapf approved these changes Jun 10, 2026
View reviewed changes

@lkrapf lkrapf left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@andreituicu andreituicu merged commit c42cc3e into main Jun 15, 2026
3 checks passed
@andreituicu andreituicu deleted the cors-unify branch June 15, 2026 09:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mhaack mhaack mhaack approved these changes

@lkrapf lkrapf lkrapf approved these changes

@maximilianvoss maximilianvoss Awaiting requested review from maximilianvoss

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andreituicu @mhaack @lkrapf