fix(extensions-library): remove wildcard CORS from continue nginx config

yasinBursali · claude · yasinBursali · commit ed6e245b813b · 2026-03-21T14:38:27.000+03:00
Removed Access-Control-Allow-Origin: * from /config.yaml and / locations. The VS Code extension uses its own HTTP client (not browser fetch), so CORS headers are unnecessary. The wildcard allowed any website to exfiltrate internal LLM API URLs and server topology from config.yaml. Closes Light-Heart-Labs#91 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/resources/dev/extensions-library/services/continue/config/continue/nginx.conf b/resources/dev/extensions-library/services/continue/config/continue/nginx.conf
@@ -15,13 +15,11 @@ server {
     # Serve the pre-built config.yaml
     location /config.yaml {
         add_header Content-Type application/yaml;
-        add_header Access-Control-Allow-Origin *;
         try_files /config.yaml =404;
     }
 
     # Serve static assets (setup page, icons, etc.)
     location / {
         try_files $uri $uri/ /index.html;
-        add_header Access-Control-Allow-Origin *;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -15,13 +15,11 @@ server {`
`15`	`15`	`# Serve the pre-built config.yaml`
`16`	`16`	`location /config.yaml {`
`17`	`17`	`add_header Content-Type application/yaml;`
`18`		`- add_header Access-Control-Allow-Origin *;`
`19`	`18`	`try_files /config.yaml =404;`
`20`	`19`	`}`
`21`	`20`
`22`	`21`	`# Serve static assets (setup page, icons, etc.)`
`23`	`22`	`location / {`
`24`	`23`	`try_files $uri $uri/ /index.html;`
`25`		`- add_header Access-Control-Allow-Origin *;`
`26`	`24`	`}`
`27`	`25`	`}`