fix(binding-http): include CORS headers for 404 responses

Pranav-0440 · Pranav-0440 · commit e996fa1885fe · 2026-02-22T00:22:56.000+05:30
Signed-off-by: Pranav-0440 &lt;pranavghorpade61@gmail.com&gt;
diff --git a/packages/binding-http/src/http-server.ts b/packages/binding-http/src/http-server.ts
@@ -103,6 +103,12 @@ export default class HttpServer implements ProtocolServer {
                 }
 
                 // No url-rewrite mapping found -> resource not found
+                const origin = req.headers.origin;
+                if (origin != null) {
+                    res.setHeader("Access-Control-Allow-Origin", origin);
+                    res.setHeader("Vary", "Origin");
+                }
+
                 res.writeHead(404);
                 res.end("Not Found");
             },
diff --git a/packages/binding-http/test/http-server-cors-test.ts b/packages/binding-http/test/http-server-cors-test.ts
@@ -249,4 +249,59 @@ class HttpServerCorsTest {
         expect(response.status).to.equal(204); // Action without output returns 204
         expect(response.headers.get("Access-Control-Allow-Origin")).to.equal("*");
     }
+    @test async "should include CORS headers on 405 response"() {
+        this.thing = new ExposedThing(this.servient, {
+            title: "TestThing405",
+            properties: {
+                test: {
+                    type: "string",
+                    forms: [],
+                },
+            },
+        });
+
+        await this.httpServer.expose(this.thing);
+
+        const uri = `http://localhost:${this.httpServer.getPort()}/testthing405/properties/test`;
+
+        const response = await fetch(uri, {
+            method: "DELETE", // not allowed
+            headers: {
+                Origin: "http://example.com",
+            },
+        });
+
+        expect(response.status).to.equal(404);
+
+        // Ensure CORS header exists even on 405
+        expect(response.headers.get("Access-Control-Allow-Origin")).to.exist;
+    }
+
+    @test async "should handle preflight with custom headers"() {
+        this.thing = new ExposedThing(this.servient, {
+            title: "TestThingCustomHeaders",
+            properties: {
+                test: {
+                    type: "string",
+                    forms: [],
+                },
+            },
+        });
+
+        await this.httpServer.expose(this.thing);
+
+        const uri = `http://localhost:${this.httpServer.getPort()}/testthingcustomheaders/properties/test`;
+
+        const response = await fetch(uri, {
+            method: "OPTIONS",
+            headers: {
+                Origin: "http://example.com",
+                "Access-Control-Request-Method": "GET",
+                "Access-Control-Request-Headers": "Authorization, Content-Type",
+            },
+        });
+
+        expect(response.status).to.equal(200);
+        expect(response.headers.get("Access-Control-Allow-Headers")).to.contain("authorization");
+    }
 }
