trickster currently sets Access-Control-Allow-Origin: * on every response unconditionally in pkg/proxy/headers/forwarding.go AddResponseHeaders (line 336). that was defensible when caches only held public read-only telemetry, but the new user_router credential-replacement path (pkg/backends/alb/mech/ur/user_router.go) lets cached responses carry privileged upstream data, so any browser origin can issue credentialed GETs and read the body.
CORS should be opt-in per backend/path, or scoped to a configured allowlist, rather than wildcard-on-by-default.
trickster currently sets
Access-Control-Allow-Origin: *on every response unconditionally inpkg/proxy/headers/forwarding.goAddResponseHeaders(line 336). that was defensible when caches only held public read-only telemetry, but the new user_router credential-replacement path (pkg/backends/alb/mech/ur/user_router.go) lets cached responses carry privileged upstream data, so any browser origin can issue credentialed GETs and read the body.CORS should be opt-in per backend/path, or scoped to a configured allowlist, rather than wildcard-on-by-default.