From 73fd13e8a06ba8dd6070961bdf4069bd9ac11d4b Mon Sep 17 00:00:00 2001
From: Phil <ict@haveverwarming.nl>
Date: Mon, 6 Oct 2025 16:02:23 +0200
Subject: [PATCH] Potential fix for code scanning alert no. 24: CORS
 misconfiguration for credentials transfer

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/context/SharedContextServer.ts | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/context/SharedContextServer.ts b/src/context/SharedContextServer.ts
index 0c0c18f..69481bb 100644
--- a/src/context/SharedContextServer.ts
+++ b/src/context/SharedContextServer.ts
@@ -168,17 +168,24 @@ export class SharedContextServer extends EventEmitter {
         'http://127.0.0.1:3000',
         'http://127.0.0.1:3001',
         'http://127.0.0.1:3002',
-        'http://127.0.0.1:3003',
-        'file://'  // For local development tools
+        'http://127.0.0.1:3003'
+        // Removed 'file://' for security, do not allow it for credentialed CORS
       ];
       
-      if (allowedOrigins.includes(origin)) {
+      // Never allow "null" or "file://" as credentialed CORS origin
+      if (allowedOrigins.includes(origin) && origin !== "null" && origin !== "file://") {
         res.setHeader('Access-Control-Allow-Origin', origin);
         res.setHeader('Access-Control-Allow-Credentials', 'true');
-      } else if (origin.startsWith('http://localhost:') || origin.startsWith('http://127.0.0.1:')) {
-        // Allow any localhost port for development flexibility
+      } else if ((origin && (origin.startsWith('http://localhost:') || origin.startsWith('http://127.0.0.1:')))
+        && origin !== "null" && origin !== "file://") {
+        // Allow development flexibility but never send credential header
         res.setHeader('Access-Control-Allow-Origin', origin);
-        // Don't allow credentials for dynamic origins
+        res.setHeader('Access-Control-Allow-Credentials', 'false');
+      } else {
+        // For all other cases, do not reflect origin nor allow credentials
+        // Optionally, you could omit CORS headers entirely,
+        // or respond with a safe default:
+        res.setHeader('Access-Control-Allow-Origin', 'false');
         res.setHeader('Access-Control-Allow-Credentials', 'false');
       }