[PR #1469] [MERGED] CORS fixes #2963

New issue

Closed

opened 2026-03-03 09:09:08 +03:00 by kerem · 0 comments

kerem commented 2026-03-03 09:09:08 +03:00

Owner

Copy link

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/1469
Author: @jjlin
Created: 3/7/2021
Status: ✅ Merged
Merged: 3/15/2021
Merged by: @dani-garcia

Base: master ← Head: cors

---

📝 Commits (2)

• 7d0e234 CORS fixes
• d93c344 Merge branch 'master' into cors

📊 Changes

1 file changed (+14 additions, -8 deletions)

View changed files

📝 src/util.rs (+14 -8)

📄 Description

• The Safari extension apparently now uses the origin file:// and expects
  that to be returned (see bitwarden/browser#1311, bitwarden/server#800).

• The Access-Control-Allow-Origin header was reflecting the value of the
  Origin header without checking whether the origin was actually allowed.
  This effectively allows any origin to interact with the server, which
  defeats the purpose of CORS.

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/1469 **Author:** [@jjlin](https://github.com/jjlin) **Created:** 3/7/2021 **Status:** ✅ Merged **Merged:** 3/15/2021 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `master` ← **Head:** `cors` --- ### 📝 Commits (2) - [`7d0e234`](https://github.com/dani-garcia/vaultwarden/commit/7d0e234b34c830eae63a713177f4bea310a8ae2d) CORS fixes - [`d93c344`](https://github.com/dani-garcia/vaultwarden/commit/d93c3441767cf7bccb77487a630aaf3d20793ac1) Merge branch 'master' into cors ### 📊 Changes **1 file changed** (+14 additions, -8 deletions) <details> <summary>View changed files</summary> 📝 `src/util.rs` (+14 -8) </details> ### 📄 Description * The Safari extension apparently now uses the origin `file://` and expects that to be returned (see bitwarden/browser#1311, bitwarden/server#800). * The `Access-Control-Allow-Origin` header was reflecting the value of the `Origin` header without checking whether the origin was actually allowed. This effectively allows any origin to interact with the server, which defeats the purpose of CORS. --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

kerem 2026-03-03 09:09:08 +03:00

• closed this issue
• added the
  pull-request
  label

kerem referenced this issue 2026-03-03 09:41:50 +03:00

[PR #2963] [MERGED] Increase privacy of masked config #3197

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

revert-7033-patch-1

cached-config-operations

test_dylint

1.35.8

1.35.7

1.35.6

1.35.5

1.35.4

1.35.3

1.35.2

1.35.1

1.35.0

1.34.3

1.34.2

1.34.1

1.34.0

1.33.2

1.33.1

1.33.0

1.32.7

1.32.6

1.32.5

1.32.4

1.32.3

1.32.2

1.32.1

1.32.0

1.31.0

1.30.5

1.30.4

1.30.3

1.30.2

1.30.1

1.30.0

1.29.2

1.29.1

1.29.0

1.28.1

1.28.0

1.27.0

1.26.0

1.25.2

1.25.1

1.25.0

1.24.0

1.23.1

1.23.0

1.22.2

1.22.1

1.22.0

1.21.0

1.20.0

1.19.0

1.18.0

1.17.0

1.16.3

1.16.2

1.16.1

1.16.0

1.15.1

1.15.0

1.14.2

1.14.1

1.14

1.13.1

1.13.0

1.12.0

1.11.0

1.10.0

1.9.1

1.9.0

1.8.0

1.7.0

1.6.1

1.6.0

1.5.0

1.4.0

1.3.0

1.2.0

1.1.0

1.0.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.0

Labels

Clear labels   

SSO

  

Third party

  

better for forum

  

bug

  

bug

  

documentation

  

duplicate

  

enhancement

  

future Vault

  

future Vault

  

future Vault

  

good first issue

  

help wanted

  

low priority

  

notes

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

troubleshooting

  

wontfix

No labels

SSO

Third party

better for forum

bug

bug

documentation

duplicate

enhancement

future Vault

future Vault

future Vault

good first issue

help wanted

low priority

notes

pull-request

question

troubleshooting

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/vaultwarden#2963

No description provided.