Skip to content

[bug]: Environment variable CORS_ALLOWED_ORIGINS is not used #8390

New issue
New issue
Open
Open
[bug]: Environment variable CORS_ALLOWED_ORIGINS is not used#8390
Assignees
viharpushya22
Labels
planesync issues to Plane🐛bugSomething isn't working
@XenGi

Description

@XenGi
XenGi
opened on Dec 18, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

No matter what is set in the CORS_ALLOWED_ORIGINS variable, it seems that the application host is always used as the value. I tried setting "*" and got an appropriate error. I tried "" but the response header still hat the application host in it. I also tried a list with the two domains I need but still got only the application fqdn back.

I found the issue while figuring out another CORS issue which was related to missing CORS config on my S3 backend.

Steps to reproduce

  1. Set CORS_ALLOWED_ORIGINS to empty string or mutliple domains
  2. Try to upload an avatar
  3. Watch browser request to https://<my-plane-instance>/api/assets/v2/user-assets/ with access-control-allow-origin: https://<my-plane-instance>/ with the other URI missing

Environment

Production

Browser

Google Chrome

Variant

Self-hosted

Version

v1.2.1

Metadata

Metadata

Assignees

Labels

planesync issues to Plane🐛bugSomething isn't working

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions