Back to Signal Feed
CodeTracked since May 21, 2026

Add API-key-aware CORS path for SaaS requests

This PR replaces the SaaS CORS handling with an `ApiKeyAwareCORSMiddleware` that allows API-key and device-flow requests to use a wildcard CORS origin without credentials, while keeping cookie/session requests on the existing strict allowlist-based CORS policy.

ApiKeyAwareCORSMiddlewareCORSMiddlewareAuthorization: BearerX-Session-API-Key

What Happened

  • This PR replaces the SaaS CORS handling with an `ApiKeyAwareCORSMiddleware` that allows API-key and device-flow requests to use a wildcard CORS origin without credentials, while keeping cookie/session requests on the existing strict allowlist-based CORS policy.
  • This PR replaces the SaaS CORS handling with an `ApiKeyAwareCORSMiddleware` that allows API-key and device-flow requests to use a wildcard CORS origin without credentials, while keeping cookie/session requests on the existing strict allowlist-based CORS policy.
  • 1 evidence item attached for review.

What is Different

Before

Scattered source updates, isolated context, and manual follow-up across multiple feeds.

Now

Implemented per-request CORS dispatch in `enterprise/saas_server.py` using a new middleware that routes API-key-authenticated traffic to a permissive, non-credentialed CORS configuration and all other SaaS auth traffic to the existing credentialed allowlist path. This directly enables browser clients that authenticate by explicit keys to call APIs cross-origin with the expected auth semantics.

Why Track This

Why It Matters

Client integrations using API keys (for example the browser-based agent GUI) can now make direct cross-origin SaaS calls, reducing proxy hop complexity and avoiding proxy-masked failures, while cookie-based UI logins remain restricted to configured origins. Technically, API-key headers (`Authorization`, `X-Session-API-Key`, `X-Access-Token`) and device-flow endpoints (`/oauth/device/authorize`, `/oauth/device/token`) now use `allow_origins=["*"]` with `allow_credentials=False`, and cookie/anonymous requests keep `PERMITTED_CORS_ORIGINS` with credentials enabled. Continue monitoring is needed for header-detection misclassification and any unexpected cross-origin request patterns on previously blocked domains.

Impact

Client integrations using API keys (for example the browser-based agent GUI) can now make direct cross-origin SaaS calls, reducing proxy hop complexity and avoiding proxy-masked failures, while cookie-based UI logins remain restricted to configured origins. Technically, API-key headers (`Authorization`, `X-Session-API-Key`, `X-Access-Token`) and device-flow endpoints (`/oauth/device/authorize`, `/oauth/device/token`) now use `allow_origins=["*"]` with `allow_credentials=False`, and cookie/anonymous requests keep `PERMITTED_CORS_ORIGINS` with credentials enabled. Continue monitoring is needed for header-detection misclassification and any unexpected cross-origin request patterns on previously blocked domains.

What To Watch Next

  • Watch whether ApiKeyAwareCORSMiddleware becomes a repeated pattern.
  • Track follow-up changes around AI Security.
  • Compare future signals against this evidence trail.
  • Re-check risk flags: api_key_header_detection_regressions, device_flow_endpoint_cors_bypass_mistake.
Open Topic TimelineOpen Technical EventOpen Original Sourceapi_key_header_detection_regressions / device_flow_endpoint_cors_bypass_mistake / cross_origin_traffic_volume_spike

Supporting Evidence

GITHUB PULL REQUESTHigh Trust

all-hands-ai/openhands PR #14473: feat: permissive CORS for API-key requests

API-key-authenticated and RFC 8628 device-flow calls now get cross-origin access directly from the SaaS API without going through the local cloud-proxy pattern, with cookie-auth behavior unchanged.