Claude Codequi CORS Misconfiguration: Arbitrary Origins Trusted
How AI Introduced This
Yes. The AI-assisted commit f01101d6f24b0c5f4a15b858d87ecd1d7c4ab5e8 did not author the unsafe `AllowOriginFunc(...){ return true }` CORS policy, but it added the auth-disabled / reverse-proxy deployment mode without any accompanying CORS restriction, expanding the impact of the pre-existing arbitrary-origin trust for proxy-authenticated deployments. The original CORS bug itself was introduced earlier by human-authored commits.
▶Attribution Chain
▶Bug-Introducing Commits(1)
Deep Verification
by investigator-overrideYes. The AI-assisted commit f01101d6f24b0c5f4a15b858d87ecd1d7c4ab5e8 did not author the unsafe `AllowOriginFunc(...){ return true }` CORS policy, but it added the auth-disabled / reverse-proxy deployment mode without any accompanying CORS restriction, expanding the impact of the pre-existing arbitrary-origin trust for proxy-authenticated deployments. The original CORS bug itself was introduced earlier by human-authored commits.
▶AI Signals(1)
| Claude Code | Co-author trailer | Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> | 95% |