Conversation
There was a problem hiding this comment.
Pull request overview
Updates Play CORS configuration to explicitly define permitted origins for browser requests.
Changes:
- Adds
play.filters.cors.allowedOriginsentries for apibuilder app domains and a local dev origin. - (Accidentally) duplicates the
play.filters.cors.allowedHttpMethodssetting.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| play.filters.cors.preflightMaxAge = 3 days | ||
| play.filters.cors.allowedHttpMethods = ["DELETE", "GET", "PATCH", "POST", "PUT", "OPTIONS"] | ||
| play.filters.cors.allowedHttpMethods = ["DELETE", "GET", "PATCH", "POST", "PUT", "OPTIONS"] |
There was a problem hiding this comment.
play.filters.cors.allowedHttpMethods is defined twice with the same value. In HOCON the last assignment wins, but this duplication is confusing and can hide future changes—please remove the duplicate line and keep a single definition.
| play.filters.cors.allowedHttpMethods = ["DELETE", "GET", "PATCH", "POST", "PUT", "OPTIONS"] |
| "https://app.apibuilder.org", | ||
| "http://localhost:5173" | ||
| ] | ||
|
|
||
|
|
There was a problem hiding this comment.
base.conf is included by both production and dev/test configs, so allowing http://localhost:5173 here will also allow localhost origins in production. If localhost is only for local development, move it to devandtest.conf (or another non-production override) and keep base.conf production-safe.
| "https://app.apibuilder.org", | |
| "http://localhost:5173" | |
| ] | |
| "https://app.apibuilder.org" | |
| ] |
No description provided.