Skip to content

binding-http: 404 responses do not include CORS headers #1495

New issue
New issue
Open
#1496
Open
binding-http: 404 responses do not include CORS headers#1495
#1496
@Pranav-0440

Description

@Pranav-0440
Pranav-0440
opened on Feb 21, 2026

Description

While working with the CORS tests introduced in #1486, I noticed that 404 responses do not include Access-Control-Allow-Origin headers when an Origin header is present in the request.

This causes browsers to block error responses due to missing CORS headers.

Current Behavior

For unknown routes, defaultRoute in http-server.ts returns:

res.writeHead(404);
res.end("Not Found");

No CORS headers are set.

Impact

Browsers performing cross-origin requests will block 404 responses
because Access-Control-Allow-Origin is missing, making debugging
and proper client-side error handling difficult.

Regression Test

A unit test has been added to reproduce and prevent this issue.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions