Fix duplicate CORS headers on proxied responses

The API server's CORS middleware adds Access-Control-Allow-Origin: *,
and the worker's CORS middleware does the same. When the API proxies
worker responses, it forwards all headers including CORS ones via Add(),
resulting in duplicate "*, *" which browsers reject.

Skip Access-Control-* headers when forwarding proxied responses — the
outer server's own CORS middleware already handles these.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: motatoes

internal/api/dashboard.go

@@ -1061,6 +1061,11 @@ func (s *Server) proxyWorkerHTTP(c echo.Context, session *db.SandboxSession, met
 	// Forward the worker's response back to the dashboard
 	respBody, _ := io.ReadAll(resp.Body)
 	for k, vals := range resp.Header {
+		// Skip CORS headers — the API server's own CORS middleware adds these,
+		// so forwarding them from the worker causes duplicates (*, *).
+		if strings.HasPrefix(strings.ToLower(k), "access-control-") {
+			continue
+		}
 		for _, v := range vals {
 			c.Response().Header().Add(k, v)
 		}

internal/proxy/proxy.go

@@ -302,6 +302,11 @@ func (r *responseRecorder) WriteHeader(statusCode int) {
 
 func (r *responseRecorder) writeTo(w http.ResponseWriter) {
 	for k, vals := range r.header {
+		// Skip CORS headers — the outer server's CORS middleware adds these,
+		// so forwarding them from the proxied response causes duplicates (*, *).
+		if strings.HasPrefix(strings.ToLower(k), "access-control-") {
+			continue
+		}
 		for _, v := range vals {
 			w.Header().Add(k, v)
 		}