Access-Control-Allow-Origin CORS and API requiring authentication

[Janaka-Steph]

I am working on a Metamask Snap browser extension that requests an API requiring session cookie authentication. Since Snap code is executed in an iframe with the sandbox property, the browser sends an Origin header with the value null with outgoing requests. For the Snap to be able to read the response, the server must send an Access-Control-Allow-Origin CORS header with the value * or null in the response.
https://docs.metamask.io/snaps/reference/permissions/#same-origin-policy-and-cors

However,
Using Access-Control-Allow-Origin: * while requiring credentials is prohibited by the CORS specification:
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials

Using Access-Control-Allow-Origin: null instead is discouraged. Especially it has vulnerability when it is used along with Access-Control-Allow-Credentials:
https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
https://www.freecodecamp.org/news/exploiting-cors-guide-to-pentesting/
https://medium.com/@frank.leitner/write-up-cors-vulnerability-with-trusted-null-origin-portswigger-academy-94eb58b2d6f4

How am I supposed to handle this issue?

[t-vila]

Hey, you could just send an API key as a header instead, ex:

await fetch(url, {
            method: 'GET',
            headers: {
                Authorization: apikey
            }
        })

[Janaka-Steph]

Yes this is what I am doing. Thank you :)