fix(security): revert CORS origin restriction for embedded deployments

waleedlatif1 · waleedlatif1 · commit 1508f81f58ca · 2026-03-09T18:25:26.000-07:00
Embedded chat widgets and forms are designed to run on any customer
domain. Restricting CORS to an allowlist would break all existing
embedded deployments.
diff --git a/apps/sim/lib/core/security/deployment.ts b/apps/sim/lib/core/security/deployment.ts
@@ -1,8 +1,6 @@
 import { createHash } from 'crypto'
 import type { NextRequest, NextResponse } from 'next/server'
-import { getEnv } from '@/lib/core/config/env'
 import { isDev } from '@/lib/core/config/feature-flags'
-import { getBaseUrl } from '@/lib/core/utils/urls'
 
 /**
  * Shared authentication utilities for deployed chat and form endpoints.
@@ -82,47 +80,15 @@ export function setDeploymentAuthCookie(
   })
 }
 
-/**
- * Returns the set of origins allowed for cross-origin requests.
- * Includes the app's own origin and any origins from ALLOWED_ORIGINS env var.
- * In development, localhost origins are also permitted.
- */
-function getAllowedOrigins(): Set<string> {
-  const origins = new Set<string>()
-
-  try {
-    const appOrigin = new URL(getBaseUrl()).origin
-    origins.add(appOrigin)
-  } catch {
-    // getBaseUrl() may throw if NEXT_PUBLIC_APP_URL is not configured
-  }
-
-  const envOrigins = getEnv('ALLOWED_ORIGINS')
-  if (envOrigins) {
-    for (const raw of envOrigins.split(',')) {
-      const trimmed = raw.trim()
-      if (trimmed) {
-        origins.add(trimmed)
-      }
-    }
-  }
-
-  if (isDev) {
-    origins.add('http://localhost:3000')
-    origins.add('http://localhost:3001')
-  }
-
-  return origins
-}
-
 /**
  * Adds CORS headers to allow cross-origin requests for embedded deployments.
- * Only reflects the origin if it is in the allowed origins list.
+ * Embedded chat widgets and forms are designed to run on any customer domain,
+ * so we reflect the requesting origin rather than restricting to an allowlist.
  */
 export function addCorsHeaders(response: NextResponse, request: NextRequest): NextResponse {
   const origin = request.headers.get('origin') || ''
 
-  if (origin && getAllowedOrigins().has(origin)) {
+  if (origin) {
     response.headers.set('Access-Control-Allow-Origin', origin)
     response.headers.set('Access-Control-Allow-Credentials', 'true')
     response.headers.set('Access-Control-Allow-Methods', 'GET, POST, OPTIONS')
