Skip to content

feat: CORS allowlist for cross-origin HTTP clients#1

Closed
jonpepler wants to merge 2 commits into
mainfrom
telemachus/cors-allowlist
Closed

feat: CORS allowlist for cross-origin HTTP clients#1
jonpepler wants to merge 2 commits into
mainfrom
telemachus/cors-allowlist

Conversation

@jonpepler
Copy link
Copy Markdown
Owner

@jonpepler jonpepler commented May 11, 2026

Summary

Adds a configurable CORS allowlist so dashboards / SPAs hosted on a different origin (GitHub Pages, a local Vite dev server, a phone on the LAN) can read Telemachus action responses without needing a same-origin proxy.

Behaviour

  • New ALLOWED_ORIGINS setting in PluginConfiguration (Telemachus/config.xml).
  • Empty list (the default) preserves the historical behaviour of never sending CORS headers. Existing setups are unaffected.
  • When configured:
    • Echoes the request's Origin in Access-Control-Allow-Origin if it matches the allowlist, with Vary: Origin. We echo rather than emit * — same permissiveness for configured clients, but blocks credentialed requests from arbitrary origins.
    • Responds 204 to OPTIONS preflight with standard Access-Control-Allow-Methods / Access-Control-Allow-Headers / Access-Control-Max-Age.
    • Non-allowlisted requests get no CORS header, so browsers block-by-default.

Config example

<string name="ALLOWED_ORIGINS">http://localhost:5173,https://your-dashboard.example</string>

Comma-separated. Trailing slashes and empty entries are stripped.

Test plan

  • Build and start Telemachus, confirm Allowed CORS origins: … logs on init when config is set.
  • With config set, curl -H "Origin: http://localhost:5173" -i http://127.0.0.1:8085/telemachus/datalink?a=v.altitude shows Access-Control-Allow-Origin: http://localhost:5173 + Vary: Origin.
  • Same request from a non-allowlisted Origin returns no CORS header.
  • OPTIONS preflight with allowlisted Origin returns 204 + the expected Access-Control-* headers.
  • With config unset (default), responses include no CORS headers at all (verifies no regression for existing users).

@jonpepler
feat: add CORS allowlist for cross-origin HTTP clients
45f7f44 
Configurable via a new ALLOWED_ORIGINS setting in
PluginConfiguration. Empty list (the default) preserves the
historical behaviour of never sending CORS headers, so existing
setups are unaffected.

When configured, the server:
  - echoes the request's Origin in Access-Control-Allow-Origin
    if it matches the allowlist (with Vary: Origin), rather than
    emitting a wildcard
  - responds 204 to OPTIONS preflight with standard
    methods/headers
  - leaves non-allowlisted requests untouched, so browsers
    block-by-default

Lets dashboards and SPAs hosted on a different origin (e.g.
GitHub Pages, a local Vite dev server) read action responses
without needing a same-origin proxy.
@jonpepler jonpepler force-pushed the telemachus/cors-allowlist branch from 318e0e6 to 45f7f44 Compare May 11, 2026 12:12
@jonpepler jonpepler marked this pull request as ready for review May 11, 2026 16:27
@jonpepler jonpepler marked this pull request as draft May 11, 2026 16:27
@jonpepler jonpepler force-pushed the telemachus/cors-allowlist branch from 162ff30 to 44d1252 Compare May 11, 2026 16:35
@jonpepler
Copy link
Copy Markdown
Owner Author

jonpepler commented May 11, 2026

Superseded by upstream PR TeaGuild#82 (re-targeting against TeaGuild)

@jonpepler jonpepler closed this May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jonpepler