From d993d6dbfc20b76c2d0282f04383edc9c70dc753 Mon Sep 17 00:00:00 2001 From: Bas van den Aakster Date: Sun, 2 Nov 2025 15:10:41 +0100 Subject: [PATCH] Fix CORS configuration for Cloudflare Workers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixed CORS issue where 'Access-Control-Allow-Origin' header was missing. The problem was that using `origin: '*'` with `credentials: true` is not allowed by browsers. Changed to use a dynamic origin function that returns the actual requesting origin, which is compatible with credentials mode. Changes: - Use dynamic origin function instead of static array - Return requesting origin for wildcard (*) configuration - Added 'Origin' to allowHeaders list - Maintains compatibility with specific origin restrictions This fixes CORS errors in browser-based clients. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- src/app.ts | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/src/app.ts b/src/app.ts index b4cb067..c65eb2d 100644 --- a/src/app.ts +++ b/src/app.ts @@ -13,11 +13,22 @@ export interface AppConfig { export function createApp(storage: Storage, config: AppConfig) { const app = new Hono(); - // Enable CORS + // Enable CORS with dynamic origin handling app.use('/*', cors({ - origin: config.corsOrigins, + origin: (origin) => { + // If no origin restrictions (wildcard), allow any origin + if (config.corsOrigins.length === 1 && config.corsOrigins[0] === '*') { + return origin; + } + // Otherwise check if origin is in allowed list + if (config.corsOrigins.includes(origin)) { + return origin; + } + // Default to first allowed origin + return config.corsOrigins[0]; + }, allowMethods: ['GET', 'POST', 'OPTIONS'], - allowHeaders: ['Content-Type'], + allowHeaders: ['Content-Type', 'Origin'], exposeHeaders: ['Content-Type'], maxAge: 600, credentials: true,