Skip to content

Allow CORS for all subdomains under xmoj-script.uk#64

Merged
PythonSmall-Q merged 1 commit into
masterfrom
copilot/allow-cors-for-all-domains
May 2, 2026
Merged

Allow CORS for all subdomains under xmoj-script.uk#64
PythonSmall-Q merged 1 commit into
masterfrom
copilot/allow-cors-for-all-domains

Conversation

Copilot AI commented May 2, 2026

Copy link
Copy Markdown
Contributor

Extends the CORS allowlist to permit requests from any subdomain of xmoj-script.uk, alongside the existing *.xmoj-script*.pages.dev, xmoj-bbs.me, and www.xmoj.tech rules.

Changes

  • Source/index.ts: Added a new regex match in getAllowedOrigin for https://<subdomain>.xmoj-script.uk origins:
    if (/^https:\/\/[a-z0-9-]+\.xmoj-script\.uk$/.test(origin)) {
      return origin;
    }
    Pattern enforces HTTPS and requires at least one subdomain label; the apex domain itself is not permitted.

Summary by Sourcery

New Features:

  • Allow CORS requests from any HTTPS subdomain of xmoj-script.uk, excluding the apex domain.

Summary by cubic

Extends the CORS allowlist to accept HTTPS requests from any subdomain of xmoj-script.uk. Enforces subdomain-only (apex not allowed) and keeps existing rules for *.xmoj-script*.pages.dev, xmoj-bbs.me, and www.xmoj.tech.

Written for commit eddd19d. Summary will update on new commits.

Agent-Logs-Url: https://github.com/XMOJ-Script-dev/XMOJ-bbs/sessions/29dec5cb-37ff-47bc-8f8d-ed7d9a5947bb

Co-authored-by: PythonSmall-Q <106425289+PythonSmall-Q@users.noreply.github.com>
@PythonSmall-Q PythonSmall-Q marked this pull request as ready for review May 2, 2026 07:34
Copilot AI review requested due to automatic review settings May 2, 2026 07:34
@PythonSmall-Q PythonSmall-Q merged commit d32d7f3 into master May 2, 2026
8 checks passed
@PythonSmall-Q PythonSmall-Q deleted the copilot/allow-cors-for-all-domains branch May 2, 2026 07:34
@sourcery-ai

sourcery-ai Bot commented May 2, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Extends the CORS origin allowlist to include any HTTPS subdomain of xmoj-script.uk while preserving existing rules for .xmoj-script.pages.dev and other domains.

Sequence diagram for CORS validation with new xmoj-script.uk subdomains

sequenceDiagram
    actor Browser
    participant Frontend as Frontend_subdomain_xmoj_script_uk
    participant API as API_Server

    Browser->>Frontend: Fetch https://sub.xmoj-script.uk/app
    Frontend->>API: CORS preflight / API request with Origin: https://sub.xmoj-script.uk

    API->>API: getAllowedOrigin(origin)
    alt Origin matches xmoj_script_pages_dev
        API-->>API: return origin
    else Origin matches subdomain_xmoj_script_uk
        API-->>API: return origin
    else Origin matches xmoj_bbs_me_or_www_xmoj_tech
        API-->>API: return origin
    else No match
        API-->>API: return null
    end

    alt Allowed origin returned
        API-->>Frontend: Response with Access_Control_Allow_Origin: https://sub.xmoj-script.uk
        Frontend-->>Browser: Response forwarded
    else Origin not allowed
        API-->>Frontend: Response without CORS headers / 4xx
        Frontend-->>Browser: CORS blocked by browser
    end
Loading

File-Level Changes

Change Details Files
Extend CORS allowlist to cover all HTTPS subdomains of xmoj-script.uk.
  • Add a new regex branch in getAllowedOrigin that matches https://.xmoj-script.uk with lowercase alphanumeric and hyphen subdomains
  • Ensure the new rule returns the origin directly on match, consistent with existing allowlist branches
  • Keep the apex xmoj-script.uk domain disallowed by requiring at least one subdomain label in the pattern
Source/index.ts

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • The new xmoj-script.uk regex only supports a single subdomain label (no additional dots), so if you truly need to allow 'any subdomain' (e.g., foo.bar.xmoj-script.uk) you may want to update the pattern to support multiple labels rather than just [a-z0-9-]+.
  • Since getAllowedOrigin is accumulating multiple very similar regex checks, consider extracting a small helper or shared pattern builder for allowed hostnames to reduce duplication and make future domain additions less error-prone.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- The new `xmoj-script.uk` regex only supports a single subdomain label (no additional dots), so if you truly need to allow 'any subdomain' (e.g., `foo.bar.xmoj-script.uk`) you may want to update the pattern to support multiple labels rather than just `[a-z0-9-]+`.
- Since `getAllowedOrigin` is accumulating multiple very similar regex checks, consider extracting a small helper or shared pattern builder for allowed hostnames to reduce duplication and make future domain additions less error-prone.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR broadens the worker’s CORS allowlist in Source/index.ts so browser requests can also come from xmoj-script.uk hosts, alongside the existing allowed XMOJ-related origins. It fits into the codebase by extending the origin validation used for preflight handling and response CORS headers.

Changes:

  • Add a new getAllowedOrigin rule for https://<subdomain>.xmoj-script.uk.
  • Keep the existing pages.dev, xmoj-bbs.me, and www.xmoj.tech origin rules unchanged.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread Source/index.ts
if (/^https:\/\/[a-z0-9-]+\.xmoj-script[a-z0-9-]*\.pages\.dev$/.test(origin)) {
return origin;
}
if (/^https:\/\/[a-z0-9-]+\.xmoj-script\.uk$/.test(origin)) {
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants