Skip to content

Make CORS configurable and disabled by default#1121

Merged
quake merged 4 commits intodevelopfrom
copilot/add-cors-support-to-http-rpc
Feb 20, 2026
Merged

Make CORS configurable and disabled by default#1121
quake merged 4 commits intodevelopfrom
copilot/add-cors-support-to-http-rpc

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Feb 10, 2026
edited
Loading

CORS was previously always enabled with wildcard origins (*). This makes it configurable and disables it by default for security.

Changes

Configuration (RpcConfig):

  • Added cors_enabled: bool (default: false)
  • Added cors_allowed_origins: Vec<String> (empty = wildcard when enabled)
  • Supports config file, CLI args (--rpc-cors-enabled, --rpc-cors-allowed-origins), and environment variables

Implementation:

  • CORS middleware now applied conditionally based on cors_enabled
  • Empty origins list → Access-Control-Allow-Origin: *
  • Specified origins → restricted to list
  • Maintains correct middleware ordering (CORS wraps auth for OPTIONS preflight)

Testing:

  • Updated existing CORS test to explicitly enable CORS
  • Added test verifying CORS disabled by default

Usage

# config.yml
rpc:
  cors_enabled: true
  cors_allowed_origins:
    - "https://example.com"
    - "https://app.example.com"
# CLI
fnn --rpc-cors-enabled --rpc-cors-allowed-origins https://example.com,https://app.example.com

# Environment
export RPC_CORS_ENABLED=true
export RPC_CORS_ALLOWED_ORIGINS=https://example.com

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot AI and others added 2 commits February 10, 2026 04:15
@quake
Add CORS support to HTTP RPC server
836c0d1 
Co-authored-by: quake <8990+quake@users.noreply.github.com>
@quake
Add clarifying comment about CORS middleware ordering
038137c 
Co-authored-by: quake <8990+quake@users.noreply.github.com>
Copilot AI changed the title [WIP] Add CORS support to HTTP RPC responses Add CORS support to HTTP RPC server Feb 10, 2026
Copilot AI requested a review from quake February 10, 2026 04:27
@quake quake marked this pull request as ready for review February 10, 2026 10:03
quake
quake reviewed Feb 19, 2026
View reviewed changes
Comment thread crates/fiber-lib/src/rpc/mod.rs Outdated
@quake
Make CORS configurable and disabled by default
a6669f8 
Co-authored-by: quake <8990+quake@users.noreply.github.com>
Copilot AI changed the title Add CORS support to HTTP RPC server Make CORS configurable and disabled by default Feb 19, 2026
Copilot AI requested a review from quake February 19, 2026 12:16
@quake quake merged commit 269a630 into develop Feb 20, 2026
71 checks passed
Zhangcy0x3 pushed a commit to Zhangcy0x3/fiber that referenced this pull request Mar 12, 2026
@quake @Zhangcy0x3
Make CORS configurable and disabled by default (nervosnetwork#1121)
0f4396e 
* Initial plan

* Add CORS support to HTTP RPC server

Co-authored-by: quake <8990+quake@users.noreply.github.com>

* Add clarifying comment about CORS middleware ordering

Co-authored-by: quake <8990+quake@users.noreply.github.com>

* Make CORS configurable and disabled by default

Co-authored-by: quake <8990+quake@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: quake <8990+quake@users.noreply.github.com>
@sunchengzhu sunchengzhu mentioned this pull request Mar 31, 2026
Open
@quake quake deleted the copilot/add-cors-support-to-http-rpc branch April 15, 2026 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@quake quake quake approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@quake quake

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@quake