Refactor removal of cross origin protection

RossTarrant · RossTarrant · commit 70c58d201380 · 2026-04-21T15:00:08.000+01:00
diff --git a/pkg/http/handler.go b/pkg/http/handler.go
@@ -223,8 +223,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Bypass cross-origin protection: this server uses bearer tokens (not
-	// cookies), so Sec-Fetch-Site CSRF checks are unnecessary. See PR #2359.
+	// Remove cross-origins due to erroneous SDK mitigation. See PR #2359.
 	crossOriginProtection := http.NewCrossOriginProtection()
 	crossOriginProtection.AddInsecureBypassPattern("/")
 

Original file line number	Diff line number	Diff line change
`@@ -223,8 +223,7 @@ func (h Handler) ServeHTTP(w http.ResponseWriter, r http.Request) {`
`223`	`223`	`return`
`224`	`224`	`}`
`225`	`225`
`226`		`- // Bypass cross-origin protection: this server uses bearer tokens (not`
`227`		`- // cookies), so Sec-Fetch-Site CSRF checks are unnecessary. See PR #2359.`
	`226`	`+ // Remove cross-origins due to erroneous SDK mitigation. See PR #2359.`
`228`	`227`	`crossOriginProtection := http.NewCrossOriginProtection()`
`229`	`228`	`crossOriginProtection.AddInsecureBypassPattern("/")`
`230`	`229`