fix: SSEResponse duplicate CORS headers issue (#1287)

* fix: SSEResponse duplicate CORS headers issue

* update

* fix tests

* update

* update

Author: sansyrox

integration_tests/test_sse.py

@@ -17,7 +17,6 @@ def test_sse_basic_headers(session):
     # Accept either clean optimized headers or legacy compatibility
     cache_control = response.headers.get("Cache-Control")
     assert cache_control in ["no-cache, no-store, must-revalidate", "no-cache, no-cache, no-store, must-revalidate"]
-    assert "Access-Control-Allow-Origin" in response.headers
 
 
 @pytest.mark.benchmark
@@ -196,13 +195,17 @@ def test_sse_empty_stream(session):
 
 @pytest.mark.benchmark
 def test_sse_custom_headers(session):
-    """Test SSE endpoint with custom headers"""
+    """Test SSE endpoint with custom headers; SSE responses should not include default CORS headers for cross-origin EventSource support"""
     response = requests.get(f"{BASE_URL}/sse/with_headers", stream=True)
 
     assert response.status_code == 200
     assert response.headers.get("X-Custom-Header") == "custom-value"
     assert response.headers.get("Content-Type") == "text/event-stream"
 
+    # SSE responses should not include default CORS headers
+    assert response.headers.get("Access-Control-Allow-Origin") is None
+    assert response.headers.get("Access-Control-Allow-Headers") is None
+
 
 @pytest.mark.benchmark
 def test_sse_custom_status_code(session):
@@ -409,7 +412,6 @@ def test_sse_optimization_headers(session):
     assert response.headers.get("Pragma") == "no-cache"
     assert response.headers.get("Expires") == "0"
     assert response.headers.get("X-Accel-Buffering") == "no"  # Nginx buffering disabled
-    assert response.headers.get("Access-Control-Allow-Origin") == "*"
     # Connection header might be managed by underlying HTTP infrastructure
     connection = response.headers.get("Connection")
     assert connection is None or connection == "keep-alive"

robyn/responses.py

@@ -146,8 +146,6 @@ def __init__(
         if media_type == "text/event-stream":
             self.headers.set("Content-Type", "text/event-stream")
             # Cache-Control and Connection headers are set by Rust layer with optimized headers
-            self.headers.set("Access-Control-Allow-Origin", "*")
-            self.headers.set("Access-Control-Allow-Headers", "Cache-Control")
 
 
 def SSEResponse(

src/types/response.rs

@@ -315,11 +315,6 @@ impl PyStreamingResponse {
                 headers.set("Content-Type".to_string(), "text/event-stream".to_string());
                 headers.set("Cache-Control".to_string(), "no-cache".to_string());
                 headers.set("Connection".to_string(), "keep-alive".to_string());
-                headers.set("Access-Control-Allow-Origin".to_string(), "*".to_string());
-                headers.set(
-                    "Access-Control-Allow-Headers".to_string(),
-                    "Cache-Control".to_string(),
-                );
             } else {
                 // For non-SSE streaming responses, still set appropriate headers
                 headers.set("Content-Type".to_string(), media_type.clone());
@@ -564,21 +559,6 @@ impl FromPyObject<'_, '_> for StreamingResponse {
             if headers.get("Connection".to_string()).is_none() {
                 headers.set("Connection".to_string(), "keep-alive".to_string());
             }
-            if headers
-                .get("Access-Control-Allow-Origin".to_string())
-                .is_none()
-            {
-                headers.set("Access-Control-Allow-Origin".to_string(), "*".to_string());
-            }
-            if headers
-                .get("Access-Control-Allow-Headers".to_string())
-                .is_none()
-            {
-                headers.set(
-                    "Access-Control-Allow-Headers".to_string(),
-                    "Cache-Control".to_string(),
-                );
-            }
         }
 
         let content: pyo3::Py<PyAny> = match obj.getattr("content") {