github/zot
1
0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2026-06-17 12:58:02 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
bfc59ad1206d4cbfcce83c0171a8d208c3973546
zot/pkg
T
History
Ramkumar Chinchani bfc59ad120 security: suppress Allow-Credentials on wildcard CORS origin (CORS-1) (#3980) 
fix(security): suppress Allow-Credentials on wildcard CORS origin (CORS-1)

Per CORS spec §3.2, Access-Control-Allow-Credentials must not be
"true" when Access-Control-Allow-Origin is the wildcard "*".

ACHeadersMiddleware (pkg/common/http_server.go) and
getUIHeadersHandler (pkg/api/routes.go) now only emit the
credentials header when an explicit, non-empty AllowOrigin is
configured.  Deployments that leave AllowOrigin blank (default
wildcard) no longer produce a contradictory header pair.

Signed-off-by: Ramkumar Chinchani <rchincha.dev@gmail.com>
2026-04-18 21:14:52 +03:00
..
api
security: suppress Allow-Credentials on wildcard CORS origin (CORS-1) (#3980)
2026-04-18 21:14:52 +03:00
cel
Introduce support for OIDC workload identity federation (#3711)
2026-01-24 21:03:53 -08:00
cli
feat: Add TrivyConfig.VulnSeveritySources (Trivy's --vuln-severity-source) (#3943)
2026-04-08 09:39:26 +03:00
cluster
chore: update golangci-lint and fix all issues (#3575)
2025-11-22 23:36:48 +02:00
common
security: suppress Allow-Credentials on wildcard CORS origin (CORS-1) (#3980)
2026-04-18 21:14:52 +03:00
compat
chore: update golangci-lint and fix all issues (#3575)
2025-11-22 23:36:48 +02:00
compliance
chore: update golangci-lint and fix all issues (#3575)
2025-11-22 23:36:48 +02:00
debug
fix: graphql playground documentation was hardcoded to an unrelated example (#3721)
2026-01-21 09:28:49 +02:00
exporter
chore: Enable Go jsonv2 experiment and update the trivy dependency (v0.67.2) (#3572)
2025-11-27 09:58:37 +02:00
extensions
feat: Add TrivyConfig.VulnSeveritySources (Trivy's --vuln-severity-source) (#3943)
2026-04-08 09:39:26 +03:00
log
fix: make sure the function and caller information are added to log messages emitted by 3rd party libraries using slog directly. (#3659)
2025-12-19 07:32:13 +02:00
meta
feat(api): add repository quota enforcement middleware (#3923)
2026-04-13 23:18:34 +03:00
regexp
feat: support pushing multiple tags for a single manifest (#3885)
2026-03-29 21:13:24 +03:00
requestcontext
chore: update golangci-lint and fix all issues (#3575)
2025-11-22 23:36:48 +02:00
retention
fix: prevent nil pointer dereference in RemoveImageFromRepoMeta (#3658)
2025-12-17 11:44:51 +02:00
scheduler
refactor(test): new apis for creating temporary files (#3605)
2025-12-05 09:54:38 +02:00
storage
fix: Updating a repository should not result in a corrupted index.json file if disk is full (#3963)
2026-04-14 08:59:25 +03:00
test
feat(api): add repository quota enforcement middleware (#3923)
2026-04-13 23:18:34 +03:00