← Back to Skills Marketplace

CORS

Name: CORS
Author: ivangdavila

by Iván · GitHub ↗ · v1.0.0

linuxdarwinwin32 ✓ Security Clean

818

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install cors

Description

Configure Cross-Origin Resource Sharing correctly to avoid security issues and debugging pain.

README (SKILL.md)

Preflight Triggers

Any header except: Accept, Accept-Language, Content-Language, Content-Type (with restrictions)
Content-Type other than: application/x-www-form-urlencoded, multipart/form-data, text/plain
Methods: PUT, DELETE, PATCH, or any custom method
ReadableStream in request body
Event listeners on XMLHttpRequest.upload
One trigger = preflight; simple requests skip OPTIONS entirely

Credentials Mode

Access-Control-Allow-Origin: * incompatible with credentials—must specify exact origin
Access-Control-Allow-Credentials: true required for cookies/auth headers
Fetch: credentials: 'include'; XHR: withCredentials = true
Without credentials mode, cookies not sent even to same origin for cross-origin requests

Wildcard Limitations

* doesn't match subdomains—*.example.com is invalid, not a pattern
Can't use * with credentials—specify origin dynamically from request
Access-Control-Allow-Headers: * works in most browsers but not all—list explicitly for compatibility
Access-Control-Expose-Headers: * same issue—list headers you need to expose

Origin Validation

Check Origin header against allowlist—don't reflect blindly (security risk)
Regex matching pitfall: example.com matches evilexample.com—anchor the pattern
null origin: sandboxed iframes, file:// URLs—usually reject, never allow as trusted
Missing Origin header: same-origin or non-browser client—handle explicitly

Vary Header (Critical)

Always include Vary: Origin when response depends on origin—even if you allow only one
Without Vary: CDN/proxy caches response for one origin, serves to others—breaks CORS
Add Vary: Access-Control-Request-Headers, Access-Control-Request-Method for preflight caching correctness

Exposed Headers

By default, JS can only read: Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma
Custom headers invisible to JS unless listed in Access-Control-Expose-Headers
X-Request-ID, X-RateLimit-*, etc. need explicit exposure—common oversight

Preflight Caching

Access-Control-Max-Age: 86400 caches preflight for 24h—reduces OPTIONS traffic significantly
Chrome caps at 2 hours; Firefox at 24 hours—values above are silently reduced
Cached per origin + URL + request characteristics—not globally
Set to 0 or omit during development—caching hides config changes

Debugging

CORS error in browser = request reached server and came back—check server logs
Preflight failure: server must return 2xx with CORS headers on OPTIONS—404/500 = failure
Opaque response in fetch: mode: 'no-cors' succeeds but response is empty—usually not what you want
Network tab shows CORS errors; Console shows which header is missing

Common Server Mistakes

Only setting CORS headers on main handler, not OPTIONS—preflight fails
Setting headers after error response—CORS headers missing on 4xx/5xx breaks error handling
Proxy stripping headers—verify headers reach client, not just that server sets them
Access-Control-Allow-Origin: "*", "https://example.com"—must be single value, not list

Security

Don't reflect Origin header blindly—validate against allowlist first
Private Network Access: Chrome requires Access-Control-Allow-Private-Network: true for localhost access from public web
CORS doesn't prevent request from being sent—just blocks response reading; server still processes it
Sensitive endpoints: don't rely on CORS alone; use authentication + CSRF tokens

Usage Guidance

This skill is a documentation-only helper — it won't install software or access secrets. It's low-risk and coherent with its purpose. Before applying the guidance to production, review and implement the recommendations in your server code (validate Origin against an allowlist instead of reflecting it, add Vary: Origin, include CORS headers on OPTIONS and error responses, and explicitly list headers for compatibility). Test preflight caching and credentialed requests across target browsers and ensure proxies/CDNs don't strip headers. Remember: CORS controls whether a browser can read responses — it does not prevent the server from processing requests, so continue to use proper authentication and CSRF protections for sensitive endpoints.

Capability Analysis

Type: OpenClaw Skill Name: cors Version: 1.0.0 The skill bundle provides comprehensive documentation on Cross-Origin Resource Sharing (CORS), covering its configuration, debugging, and security implications. The `SKILL.md` file offers detailed technical advice, including critical security recommendations such as validating the Origin header against an allowlist instead of reflecting it blindly, and emphasizing the need for authentication and CSRF tokens for sensitive endpoints. There is no evidence of malicious intent, data exfiltration, unauthorized execution, persistence mechanisms, or prompt injection attempts against the AI agent; instead, it promotes secure development practices.

Capability Assessment

✓ Purpose & Capability

The name/description match the SKILL.md content: detailed CORS configuration guidance. There are no unrelated requirements (no env vars, binaries, or installs) that would be inappropriate for a documentation-style skill.

✓ Instruction Scope

SKILL.md is purely prescriptive guidance (headers to set, pitfalls to avoid). It does not instruct the agent to run commands, read files, access unrelated environment variables, or transmit data to external endpoints—no scope creep detected.

✓ Install Mechanism

No install spec and no code files. Because this is instruction-only, nothing will be written to disk or pulled from remote URLs during install.

✓ Credentials

The skill requests no credentials or environment configuration. There are no unexplained secrets or access requests relative to the skill's stated purpose.

✓ Persistence & Privilege

always is false and the skill is user-invocable; it does not request permanent presence or modify other skills or system-wide settings. Normal autonomous invocation is allowed but not problematic here given the skill's benign, read-only nature.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install cors
After installation, invoke the skill by name or use /cors
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release

Metadata

Slug cors

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is CORS?

Configure Cross-Origin Resource Sharing correctly to avoid security issues and debugging pain. It is an AI Agent Skill for Claude Code / OpenClaw, with 818 downloads so far.

How do I install CORS?

Run "/install cors" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is CORS free?

Yes, CORS is completely free (open-source). You can download, install and use it at no cost.

Which platforms does CORS support?

CORS is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).

Who created CORS?

It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.

More Skills