Skip to content

make CORS opt-in per backend now that user_router replaces credentials #1008

Description

@crandles

trickster currently sets Access-Control-Allow-Origin: * on every response unconditionally in pkg/proxy/headers/forwarding.go AddResponseHeaders (line 336). that was defensible when caches only held public read-only telemetry, but the new user_router credential-replacement path (pkg/backends/alb/mech/ur/user_router.go) lets cached responses carry privileged upstream data, so any browser origin can issue credentialed GETs and read the body.

CORS should be opt-in per backend/path, or scoped to a configured allowlist, rather than wildcard-on-by-default.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions