Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| value: https://csfloat.com | ||
| - name: HTTP_ALLOWEDORIGINS | ||
| value: ['chrome-extension://jjicbefpemnphinccgikpdaagjebbnhg'] | ||
| value: "['chrome-extension://jjicbefpemnphinccgikpdaagjebbnhg']" |
There was a problem hiding this comment.
CORS origin value contains extraneous brackets and quotes
High Severity
The HTTP_ALLOWEDORIGINS env var is now set to the literal string ['chrome-extension://jjicbefpemnphinccgikpdaagjebbnhg'], including brackets and single quotes. Viper/mapstructure will parse this into a []string containing that entire literal (brackets and all) as a single element. In server.go, the CORS check does an exact string comparison (allowedOrigin == origin), so it will never match the actual Chrome extension origin chrome-extension://jjicbefpemnphinccgikpdaagjebbnhg, effectively blocking all Chrome extension requests.
1 participant
Note
Low Risk
Low risk config-only change that adjusts how a single env var is parsed at deploy time. Risk is limited to CORS/origin allowlist behavior if the consuming app expects the previous unquoted format.
Overview
Updates
deploy/reverse-watch-service.yamlto wrap theHTTP_ALLOWEDORIGINSarray-like value in double quotes so it is treated as a string rather than a YAML sequence.Written by Cursor Bugbot for commit 710b52f. This will update automatically on new commits. Configure here.