Merge pull request #63 from diggerhq/fix/duplicate-cors-headers

Fix duplicate CORS headers on proxied responses

Author: motatoes

internal/api/dashboard.go

@@ -1061,6 +1061,11 @@ func (s *Server) proxyWorkerHTTP(c echo.Context, session *db.SandboxSession, met
 	// Forward the worker's response back to the dashboard
 	respBody, _ := io.ReadAll(resp.Body)
 	for k, vals := range resp.Header {
+		// Skip CORS headers — the API server's own CORS middleware adds these,
+		// so forwarding them from the worker causes duplicates (*, *).
+		if strings.HasPrefix(strings.ToLower(k), "access-control-") {
+			continue
+		}
 		for _, v := range vals {
 			c.Response().Header().Add(k, v)
 		}

internal/proxy/proxy.go

@@ -302,6 +302,11 @@ func (r *responseRecorder) WriteHeader(statusCode int) {
 
 func (r *responseRecorder) writeTo(w http.ResponseWriter) {
 	for k, vals := range r.header {
+		// Skip CORS headers — the outer server's CORS middleware adds these,
+		// so forwarding them from the proxied response causes duplicates (*, *).
+		if strings.HasPrefix(strings.ToLower(k), "access-control-") {
+			continue
+		}
 		for _, v := range vals {
 			w.Header().Add(k, v)
 		}