Skip to content

Add client side CORS check for prefix services#49

Merged
lele85 merged 2 commits into
mainfrom
surface-cors-headers-client-side
Jul 3, 2026
Merged

Add client side CORS check for prefix services#49
lele85 merged 2 commits into
mainfrom
surface-cors-headers-client-side

Conversation

@lele85

@lele85 lele85 commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Our server-side HTTP HEAD measurements are performed by a Lambda function, not a browser, so they never trigger CORS. However, in-browser playback technologies such as HLS (commonly implemented via hls.js) fetch media segments using cross-origin fetch/XHR requests, which do require the target server to respond with proper Access-Control-Allow-Origin headers, unlike a plain <audio>/<video> tag.

This complementary, browser-only signal is surfaced automatically, as soon as an endpoint's detail page loads, by performing a live check directly from your own browser against a prefix service's URL, resulting in either a:

  • CORS OK
  • CORS KO

This check is only available for prefix services. We intentionally leave enclosure URLs out of scope: anyone shipping HLS video already has to satisfy Apple's own requirements around CORS, so there's little value in re-verifying it here.

Under the hood, the check performs an HTTP HEAD request from your browser and confirms that the full redirect chain completes successfully. We don't surface the response headers themselves, since depending on the browser and the server's Access-Control-Expose-Headers configuration, they may not actually be made available to JavaScript.

Screenshot 2026-07-03 alle 14 28 55 Screenshot 2026-07-03 alle 14 28 46

@orca-security-us orca-security-us Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Orca Security Scan Summary

Status Check Issues by priority
Passed Passed Infrastructure as Code high 0   medium 0   low 0   info 0 View in Orca
Passed Passed OSS Licenses high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Malicious Packages high 0   medium 0   low 0   info 0 View in Orca
Passed Passed SAST high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Secrets high 0   medium 0   low 0   info 0 View in Orca
Passed Passed Vulnerabilities high 0   medium 0   low 0   info 0 View in Orca

@lele85 lele85 requested a review from LBRDan July 3, 2026 12:12
@lele85 lele85 requested a review from roccozanni July 3, 2026 12:31
@lele85 lele85 merged commit 415e23a into main Jul 3, 2026
7 checks passed
@lele85 lele85 deleted the surface-cors-headers-client-side branch July 3, 2026 12:40

@roccozanni roccozanni left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants