[PR #261] [CLOSED] Configure CORS allowlist via environment#1 #259

New issue

Closed

opened 2026-02-27 09:13:58 +03:00 by kerem · 0 comments

kerem commented

2026-02-27 09:13:58 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/maillab/cloud-mail/pull/261
Author: @zlylong
Created: 2/9/2026
Status: ❌ Closed

Base: main ← Head: main

📝 Commits (3)

0d2b539 Configure CORS origins for worker
4ce9ec1 Merge pull request #1 from zlylong/codex/configure-cors-with-origin-whitelist
af7b999 Merge branch 'maillab:main' into main

📊 Changes

2 files changed (+58 additions, -2 deletions)

View changed files

📝 mail-worker/src/hono/hono.js (+57 -2)
📝 mail-worker/wrangler.toml (+1 -0)

📄 Description

Motivation
Make CORS policy explicit and configurable so frontend origin changes can be updated from environment/wrangler config rather than hardcoded *.
Ensure sensible defaults for credentials, request/response headers and to reduce unsafe open CORS settings.
Description
Replace the global cors() call with an env-driven allowlist implementation in mail-worker/src/hono/hono.js that parses c.env values and normalizes origins via normalizeOrigin and parseCorsOrigins functions.
Configure the middleware origin callback to only return an allowed origin from env, and set credentials: false, allowHeaders: ['Authorization', 'Content-Type'], and exposeHeaders: ['Content-Disposition'] in the cors options.
Document a cors_origins example variable in mail-worker/wrangler.toml (commented) so deployers can supply allowed frontend domains (e.g. `[

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/maillab/cloud-mail/pull/261 **Author:** [@zlylong](https://github.com/zlylong) **Created:** 2/9/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `main` --- ### 📝 Commits (3) - [`0d2b539`](https://github.com/maillab/cloud-mail/commit/0d2b539c234f66ec4c35a2c1fe34d3aceaa0ded4) Configure CORS origins for worker - [`4ce9ec1`](https://github.com/maillab/cloud-mail/commit/4ce9ec1f4e230a8fae51558e52b6591021a70b09) Merge pull request #1 from zlylong/codex/configure-cors-with-origin-whitelist - [`af7b999`](https://github.com/maillab/cloud-mail/commit/af7b9998a3bf13577751968dbca53b55176227de) Merge branch 'maillab:main' into main ### 📊 Changes **2 files changed** (+58 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `mail-worker/src/hono/hono.js` (+57 -2) 📝 `mail-worker/wrangler.toml` (+1 -0) </details> ### 📄 Description Motivation Make CORS policy explicit and configurable so frontend origin changes can be updated from environment/wrangler config rather than hardcoded *. Ensure sensible defaults for credentials, request/response headers and to reduce unsafe open CORS settings. Description Replace the global cors() call with an env-driven allowlist implementation in mail-worker/src/hono/hono.js that parses c.env values and normalizes origins via normalizeOrigin and parseCorsOrigins functions. Configure the middleware origin callback to only return an allowed origin from env, and set credentials: false, allowHeaders: ['Authorization', 'Content-Type'], and exposeHeaders: ['Content-Disposition'] in the cors options. Document a cors_origins example variable in mail-worker/wrangler.toml (commented) so deployers can supply allowed frontend domains (e.g. `[ --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>