Skip to content

feat: Add POST and OPTIONS support to CORS proxy#64

Merged
homanp merged 2 commits intomainfrom
cursor/cors-proxy-post-support
Mar 30, 2026
Merged

feat: Add POST and OPTIONS support to CORS proxy#64
homanp merged 2 commits intomainfrom
cursor/cors-proxy-post-support

Conversation

@homanp
Copy link
Copy Markdown
Owner

@homanp homanp commented Mar 30, 2026
edited
Loading

Summary

  • Add OPTIONS handler for CORS preflight responses (204 with appropriate Access-Control-Allow-* headers)
  • Add POST handler that forwards request body and Content-Type upstream, with no caching or inflight deduplication (POST is not idempotent)
  • Refactor shared URL validation and Brin security scanning into reusable helpers (validateTarget, scanTarget)
  • Update chat system prompt to document POST proxy usage for widgets (e.g. OAuth token exchange)

Test plan

  • Verify OPTIONS /api/proxy?url=... returns 204 with correct CORS headers
  • Verify POST /api/proxy?url=... forwards body and content-type to upstream and returns the response
  • Verify GET /api/proxy?url=... still works as before (caching, dedup, stale-while-revalidate)
  • Verify Brin security scanning blocks unsafe URLs for both GET and POST
  • Test a widget performing a Twitter OAuth2 token exchange through the proxy

@homanp
Add POST and OPTIONS support to CORS proxy
c99b827 
Widgets that need to make POST requests through the proxy (e.g. OAuth2
token exchange) were getting 405s. Add OPTIONS handler for CORS
preflight, POST handler that forwards body/content-type upstream
without caching, and update the chat system prompt to document both
methods.
@github-actions github-actions bot added the contributor:verified Contributor passed trust analysis. label Mar 30, 2026
@homanp homanp marked this pull request as ready for review March 30, 2026 07:33
@homanp homanp changed the title Add POST and OPTIONS support to CORS proxy feat: Add POST and OPTIONS support to CORS proxy Mar 30, 2026
@homanp homanp self-assigned this Mar 30, 2026
@homanp
Copy link
Copy Markdown
Owner Author

homanp commented Mar 30, 2026

@cursor review

cursor[bot]
cursor bot reviewed Mar 30, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment @cursor review or bugbot run to trigger another review on this PR

@homanp
Add CORS headers to all proxy error responses
47ef143 
Error responses from validateTarget, scanTarget, and catch blocks were
missing Access-Control-Allow-Origin, causing the browser to block
widgets from reading the error body after a successful OPTIONS preflight.
@homanp homanp merged commit 586ddb7 into main Mar 30, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

@homanp homanp

Labels

contributor:verified Contributor passed trust analysis.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@homanp