Skip to content

feat: add CORS support for HTTP API and metrics endpoints#756

Open
zemse wants to merge 4 commits intosigp:unstablefrom
zemse:249-cors-headers-cli
Open

feat: add CORS support for HTTP API and metrics endpoints#756
zemse wants to merge 4 commits intosigp:unstablefrom
zemse:249-cors-headers-cli

Conversation

@zemse
Copy link

@zemse zemse commented Dec 17, 2025

Issue Addressed

Closes #249

Proposed Changes

  • Add --metrics-allow-origin CLI flag
  • Implement CORS for HTTP API, the --http-allow-origin flag existed but wasn't wired up.

Additional Info

None

@zemse zemse marked this pull request as ready for review December 17, 2025 14:01
@dknopik dknopik requested a review from petarjuki7 December 18, 2025 17:44
jxs
jxs reviewed Jan 5, 2026
View reviewed changes
Copy link
Member

@jxs jxs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thanks for getting into this!
Left some comments

anchor/http_metrics/src/lib.rs Outdated
Comment on lines 67 to 69
let origin = allow_origin
.map(|o| AllowOrigin::exact(o.parse().expect("validated in config")))
.unwrap_or(AllowOrigin::any());
Copy link
Member

@jxs jxs Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comment above, this seems un-required, we should be able to receive allow_origin as AllowOrigin to not parsed it again here

anchor/http_api/src/lib.rs Outdated
Comment on lines 43 to 46
let origin = config
.allow_origin
.map(|o| AllowOrigin::exact(o.parse().expect("validated in config")))
.unwrap_or(AllowOrigin::any());
Copy link
Member

@jxs jxs Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comment above, this seems unrequired, we can have config.allow_origin's type to be AllowOrigin to not have to be parsed again here.

diegomrsantos and others added 2 commits January 5, 2026 10:56
@diegomrsantos
Merge branch 'unstable' into 249-cors-headers-cli
b7c2eb5
@zemse @claude
refactor: store AllowOrigin directly in config instead of String
6931684 
- Parse CLI args directly into AllowOrigin in from_cli
- Remove duplicate parsing in http_api and http_metrics
- Replace hyper with tower-http dependency in client crate

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
jxs
jxs approved these changes Jan 22, 2026
View reviewed changes
Copy link
Member

@jxs jxs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM thanks!

dknopik
dknopik requested changes Jan 23, 2026
View reviewed changes
Copy link
Member

@dknopik dknopik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This bumps all dependencies, so probably cargo update was run. Usually we do those in separate PRs - please restore the Cargo.lock from unstable

anchor/http_api/src/config.rs
listen_addr: IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)),
listen_port: 5062,
allow_origin: None,
allow_origin: AllowOrigin::any(),
Copy link
Member

@dknopik dknopik Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure if any is a good default.

E.g. Lighthouse defaults to the listen address and port: https://github.com/sigp/lighthouse/blob/f3fd1f210b2f4ed7d208f81f9a09e1edced3bb3d/beacon_node/http_api/src/lib.rs#L340-L344

Copy link
Member

@jxs jxs Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah makes sense thanks Daniel.
I suggested any based on following the default behavior of None but it makes more sense to use the listen address and port as lighthouse does

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jxs jxs jxs approved these changes

@dknopik dknopik dknopik requested changes

@petarjuki7 petarjuki7 Awaiting requested review from petarjuki7

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@zemse @jxs @dknopik @diegomrsantos