Skip to content

Add CORS null-origin and PNA evidence gates#1244

Open
bozicovichsantiago20-oss wants to merge 1 commit into
UnitOneAI:mainfrom
bozicovichsantiago20-oss:codex/api-security-cors-pna-1202
Open

Add CORS null-origin and PNA evidence gates#1244
bozicovichsantiago20-oss wants to merge 1 commit into
UnitOneAI:mainfrom
bozicovichsantiago20-oss:codex/api-security-cors-pna-1202

Conversation

@bozicovichsantiago20-oss
Copy link
Copy Markdown

@bozicovichsantiago20-oss bozicovichsantiago20-oss commented Jun 6, 2026

Summary

  • Adds API8 evidence gates for exact CORS allowlist reflection versus arbitrary origin reflection.
  • Covers credentialed Origin: null / opaque-origin rejection and Private Network Access trusted-origin handling.
  • Extends report evidence fields, review checklist, false-positive guardrails, references, and version history for �pi-security v1.0.1.

Validation

  • git diff --check (only existing Windows LF-to-CRLF warning)
  • Markdown fence balance check for SKILL.md and �pi-top10-checklist.md
  • Marker checks for Origin: null, Private Network Access, Access-Control-Allow-Private-Network, Vary: Origin, CORS/PNA Evidence, and version 1.0.1
  • Reference URL checks returned HTTP 200 for MDN CORS, MDN Access-Control-Allow-Origin, and WICG Private Network Access

Closes #1202

Bounty request: Skill Review () for #1202 and Improver Moderate () for this PR if accepted. Payment details can be provided privately after maintainer acceptance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[REVIEW] api-security: add CORS null-origin and PNA evidence gates

1 participant

@bozicovichsantiago20-oss