Skip to content

test: add CORS allowlist edge-case coverage#142

Merged
steipete merged 2 commits intosteipete:mainfrom
sebastiondev:test/cors-edge-cases
Mar 12, 2026
Merged

test: add CORS allowlist edge-case coverage#142
steipete merged 2 commits intosteipete:mainfrom
sebastiondev:test/cors-edge-cases

Conversation

@sebastiondev
Copy link
Contributor

@sebastiondev sebastiondev commented Mar 10, 2026

Follow-up to #108 — adds 21 additional edge-case tests for isTrustedOrigin and corsHeaders.

New coverage (beyond the existing 12 tests):

Category Cases
Localhost variants portless, HTTPS, alternate ports, IPv6 without port
Case-insensitive protocols CHROME-EXTENSION://, MOZ-EXTENSION://, etc.
Subdomain spoofing http://localhost.evil.com, http://localhost.evil.com:8787
Adjacent loopback IPs http://127.0.0.2:8787, http://0.0.0.0:8787
Protocol injection javascript:alert(1), data:text/html,...
Extension prefix spoofing chrome-extension-evil://abc
Null / empty origin literal "null", empty string
Full header shape asserts all 7 CORS response headers for a trusted origin

All 33 tests pass. Full pnpm check (format + lint + 1568 tests) green.

sebastiondev and others added 2 commits March 12, 2026 23:39
@sebastiondev @steipete
test: add CORS allowlist edge-case coverage
d48cd23 
Follow-up to steipete#108. Adds 21 additional test cases covering:

- Localhost variants: portless, HTTPS, alternate ports, IPv6 without port
- Case-insensitive extension protocols (CHROME-EXTENSION, MOZ-EXTENSION, etc.)
- Bypass attempts: subdomain spoofing (localhost.evil.com), adjacent
  loopback IPs (127.0.0.2, 0.0.0.0), protocol injection (javascript:,
  data:), extension prefix spoofing (chrome-extension-evil://), the
  literal string 'null', and empty origin
- Full CORS header shape assertion for trusted origins
@steipete
docs: note daemon cors edge-case coverage (steipete#142) (thanks @seb…
17672e0 
…astiondev)
@steipete steipete force-pushed the test/cors-edge-cases branch from 2c0e01e to 17672e0 Compare March 12, 2026 23:43
@steipete steipete merged commit 9e6096e into steipete:main Mar 12, 2026
3 of 4 checks passed
@steipete
Copy link
Owner

steipete commented Mar 12, 2026

Landed via temp rebase onto main.

  • Gate: pnpm -s check
  • Land commit: 17672e00b0ef98515379b795cfb938b7e359468f
  • Merge commit: 9e6096efc8f90b4427c09b4aa770f8611578d8ec

Thanks @sebastiondev!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sebastiondev @steipete