Skip to content

Comments

feat: add CORS support for HTTP API and metrics endpoints#756

Merged
mergify[bot] merged 6 commits intosigp:unstablefrom
zemse:249-cors-headers-cli
Feb 17, 2026
Merged

feat: add CORS support for HTTP API and metrics endpoints#756
mergify[bot] merged 6 commits intosigp:unstablefrom
zemse:249-cors-headers-cli

Conversation

@zemse
Copy link

@zemse zemse commented Dec 17, 2025

Issue Addressed

Closes #249

Proposed Changes

  • Add --metrics-allow-origin CLI flag
  • Implement CORS for HTTP API, the --http-allow-origin flag existed but wasn't wired up.

Additional Info

None

@zemse zemse marked this pull request as ready for review December 17, 2025 14:01
@dknopik dknopik requested a review from petarjuki7 December 18, 2025 17:44
jxs
jxs reviewed Jan 5, 2026
View reviewed changes
Copy link
Member

@jxs jxs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thanks for getting into this!
Left some comments

anchor/http_metrics/src/lib.rs Outdated
Comment on lines 67 to 69
let origin = allow_origin
.map(|o| AllowOrigin::exact(o.parse().expect("validated in config")))
.unwrap_or(AllowOrigin::any());
Copy link
Member

@jxs jxs Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comment above, this seems un-required, we should be able to receive allow_origin as AllowOrigin to not parsed it again here

anchor/http_api/src/lib.rs Outdated
Comment on lines 43 to 46
let origin = config
.allow_origin
.map(|o| AllowOrigin::exact(o.parse().expect("validated in config")))
.unwrap_or(AllowOrigin::any());
Copy link
Member

@jxs jxs Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comment above, this seems unrequired, we can have config.allow_origin's type to be AllowOrigin to not have to be parsed again here.

jxs
jxs previously approved these changes Jan 22, 2026
View reviewed changes
Copy link
Member

@jxs jxs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

dknopik
dknopik requested changes Jan 23, 2026
View reviewed changes
Copy link
Member

@dknopik dknopik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This bumps all dependencies, so probably cargo update was run. Usually we do those in separate PRs - please restore the Cargo.lock from unstable

anchor/http_api/src/config.rs Outdated
listen_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)),
listen_port: 5062,
allow_origin: None,
allow_origin: AllowOrigin::any(),
Copy link
Member

@dknopik dknopik Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if any is a good default.

E.g. Lighthouse defaults to the listen address and port: https://github.com/sigp/lighthouse/blob/f3fd1f210b2f4ed7d208f81f9a09e1edced3bb3d/beacon_node/http_api/src/lib.rs#L340-L344

Copy link
Member

@jxs jxs Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah makes sense thanks Daniel.
I suggested any based on following the default behavior of None but it makes more sense to use the listen address and port as lighthouse does

zemse and others added 2 commits February 9, 2026 18:48
@zemse
feat: add CORS support for HTTP API and metrics endpoints
ac0404b
@zemse @claude
refactor: store AllowOrigin directly in config instead of String
ad74bc2 
- Parse CLI args directly into AllowOrigin in from_cli
- Remove duplicate parsing in http_api and http_metrics
- Replace hyper with tower-http dependency in client crate

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@zemse zemse marked this pull request as draft February 9, 2026 13:36
@zemse @claude
fix: default CORS origin to listen address
a4b5146 
Change default AllowOrigin from `any()` to the listen address and port,
matching Lighthouse's behavior for safer defaults.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@zemse zemse force-pushed the 249-cors-headers-cli branch from d2af91f to a4b5146 Compare February 9, 2026 15:05
jxs
jxs previously approved these changes Feb 16, 2026
View reviewed changes
Copy link
Member

@jxs jxs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jxs jxs requested a review from dknopik February 16, 2026 14:49
@jxs jxs marked this pull request as ready for review February 16, 2026 14:49
@jxs jxs force-pushed the 249-cors-headers-cli branch from 4e17534 to 1cd5a4a Compare February 17, 2026 10:01
@jxs jxs force-pushed the 249-cors-headers-cli branch from 1cd5a4a to 970bfbb Compare February 17, 2026 11:07
dknopik
dknopik approved these changes Feb 17, 2026
View reviewed changes
Copy link
Member

@dknopik dknopik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @zemse and @jxs!

@mergify mergify bot merged commit dca9d9b into sigp:unstable Feb 17, 2026
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dknopik dknopik dknopik approved these changes

@jxs jxs jxs left review comments

@petarjuki7 petarjuki7 Awaiting requested review from petarjuki7

Assignees

No one assigned

Labels

ready-for-merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@zemse @jxs @dknopik