fix: replace wildcard CORS default with explicit localhost origins #468

Closed

kimi wants to merge 0 commits from kimi/issue-462 into main

pull from: kimi/issue-462

merge into: Rockachopa:main

Rockachopa:main

Rockachopa:gemini/issue-892

Rockachopa:claude/issue-1342

Rockachopa:claude/issue-1346

Rockachopa:claude/issue-1351

Rockachopa:claude/issue-1340

Rockachopa:fix/test-llm-triage-syntax

Rockachopa:gemini/issue-1014

Rockachopa:gemini/issue-932

Rockachopa:claude/issue-1277

Rockachopa:claude/issue-1139

Rockachopa:claude/issue-870

Rockachopa:claude/issue-1285

Rockachopa:claude/issue-1292

Rockachopa:claude/issue-1281

Rockachopa:claude/issue-917

Rockachopa:claude/issue-1275

Rockachopa:claude/issue-925

Rockachopa:claude/issue-1019

Rockachopa:claude/issue-1094

Rockachopa:claude/issue-1019-v3

Rockachopa:fix/flaky-vassal-xdist-tests

Rockachopa:fix/test-config-env-isolation

Rockachopa:claude/issue-1019-v2

Rockachopa:claude/issue-957-v2

Rockachopa:claude/issue-1218

Rockachopa:claude/issue-1217

Rockachopa:test/chat-store-unit-tests

Rockachopa:claude/issue-1191

Rockachopa:claude/issue-1186

Rockachopa:claude/issue-957

Rockachopa:gemini/issue-936

Rockachopa:claude/issue-1065

Rockachopa:gemini/issue-976

Rockachopa:gemini/issue-1149

Rockachopa:claude/issue-1135

Rockachopa:claude/issue-1064

Rockachopa:gemini/issue-1012

Rockachopa:claude/issue-1095

Rockachopa:claude/issue-1102

Rockachopa:claude/issue-1114

Rockachopa:gemini/issue-978

Rockachopa:gemini/issue-971

Rockachopa:claude/issue-1074

Rockachopa:claude/issue-987

Rockachopa:claude/issue-1011

Rockachopa:feature/internal-monologue

Rockachopa:feature/issue-1006

Rockachopa:feature/issue-1007

Rockachopa:feature/issue-1008

Rockachopa:feature/issue-1009

Rockachopa:feature/issue-1010

Rockachopa:feature/issue-1011

Rockachopa:feature/issue-1012

Rockachopa:feature/issue-1013

Rockachopa:feature/issue-1014

Rockachopa:feature/issue-981

Rockachopa:feature/issue-982

Rockachopa:feature/issue-983

Rockachopa:feature/issue-984

Rockachopa:feature/issue-985

Rockachopa:feature/issue-986

Rockachopa:feature/issue-987

Rockachopa:feature/issue-993

Rockachopa:claude/issue-943

Rockachopa:claude/issue-975

Rockachopa:claude/issue-989

Rockachopa:claude/issue-988

Rockachopa:fix/loop-guard-gitea-api-and-queue-validation

Rockachopa:feature/lhf-tech-debt-fixes

Rockachopa:kimi/issue-753

Rockachopa:kimi/issue-714

Rockachopa:kimi/issue-716

Rockachopa:fix/csrf-check-before-execute

Rockachopa:chore/migrate-gitea-to-vps

Rockachopa:kimi/issue-640

Rockachopa:fix/utcnow-calm-py

Rockachopa:kimi/issue-635

Rockachopa:kimi/issue-625

Rockachopa:fix/router-api-truncated-param

Rockachopa:kimi/issue-604

Rockachopa:kimi/issue-594

Rockachopa:review-fixes

Rockachopa:kimi/issue-570

Rockachopa:kimi/issue-554

Rockachopa:kimi/issue-539

Rockachopa:kimi/issue-540

Rockachopa:feature/ipad-v1-api

Rockachopa:kimi/issue-506

Rockachopa:kimi/issue-512

Rockachopa:refactor/airllm-doc-cleanup

Rockachopa:kimi/issue-513

Rockachopa:kimi/issue-514

Rockachopa:kimi/issue-500

Rockachopa:kimi/issue-492

Rockachopa:kimi/issue-490

Rockachopa:kimi/issue-459

Rockachopa:kimi/issue-472

Rockachopa:kimi/issue-473

Rockachopa:kimi/issue-463

Rockachopa:kimi/issue-454

Rockachopa:kimi/issue-445

Rockachopa:kimi/issue-446

Rockachopa:kimi/issue-431

Conversation 0 Commits - Files Changed -

kimi commented 2026-03-19 19:00:19 +00:00

Collaborator

Copy Link

Summary

• Default cors_origins changed from ["*"] to explicit localhost origins
• _get_cors_origins() now strips wildcard entries in production mode with a warning
• Prevents unintentional open CORS in production deployments

Fixes #462

## Summary - Default `cors_origins` changed from `["*"]` to explicit localhost origins - `_get_cors_origins()` now strips wildcard entries in production mode with a warning - Prevents unintentional open CORS in production deployments Fixes #462

kimi added 1 commit 2026-03-19 19:00:19 +00:00

fix: replace wildcard CORS default with explicit localhost origins ... 9578330c87

The cors_origins setting defaulted to ["*"], which passed through
unchanged in production (non-debug) mode. Now defaults to explicit
localhost origins, and _get_cors_origins() strips any wildcards in
production with a warning.

Fixes #462

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Timmy closed this pull request 2026-03-19 19:01:54 +00:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

222-epic

Workshop: Timmy as Presence (Epic #222)

actionable

Has a concrete code/config task extracted

assigned-claude

Issue currently assigned to Claude agent — do not assign to another agent

assigned-gemini

Issue currently assigned to Gemini agent — do not assign to another agent

assigned-groq

assigned-kimi

Issue currently assigned to Kimi agent — do not assign to another agent

assigned-manus

Issue currently assigned to Manus agent — do not assign to another agent

claude-ready

consolidation

Part of a consolidation epic

deprioritized

Keep open but not blocking P0 work

deprioritized

Keep open but not blocking P0 work

duplicate

Duplicate of another issue

gemini-review

Auto-generated by Gemini, needs relevance review

groq-ready

harness

Core product: agent framework, heartbeat, inference, memory

heartbeat

Harness: Agent heartbeat loop

inference

Harness: Inference and model routing

infrastructure

Supporting stage: dashboard, CI/CD, deployment, DNS

kimi-ready

Scoped and ready for Kimi to pick up

memory-session

Harness: Memory and session crystallization

morrowind

Harness: Morrowind embodiment

needs-design

Needs architectural design before implementation

needs-extraction

Philosophy with unextracted engineering work

p0-critical

Priority 0: Must fix now

p1-important

Priority 1: Important, next sprint

p2-backlog

Priority 2: Backlog, do when time permits

philosophy

Philosophical foundation — informs architecture decisions

rejected-direction

Closed: rejected or superseded direction

seed:know-purpose

Three Seeds: KNOW YOUR PURPOSE

seed:serve-real

Three Seeds: SERVE THE REAL

seed:tell-truth

Three Seeds: TELL THE TRUTH

sovereignty

Harness: Sovereignty stack

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Timmy claude grok groq kimi manus perplexity Rockachopa

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: Rockachopa/Timmy-time-dashboard#468