fix: only apply CORS if enabled

cmd/daemon/serve.go

@@ -6,10 +6,11 @@ package daemon
 import (
 	stdctx "context"
 	"crypto/tls"
-	"github.com/rs/cors"
 	"net/http"
 	"time"
 
+	"github.com/rs/cors"
+
 	"github.com/ory/x/otelx/semconv"
 
 	"github.com/pkg/errors"
@@ -101,7 +102,12 @@ func ServePublic(r driver.Registry, cmd *cobra.Command, _ []string, slOpts *serv
 
 	// we need to always load the CORS middleware even if it is disabled, to allow hot-enabling CORS
 	n.UseFunc(func(w http.ResponseWriter, req *http.Request, next http.HandlerFunc) {
-		cors.New(r.Config().CORS(req.Context(), "public")).ServeHTTP(w, req, next)
+		cfg, enabled := r.Config().CORS(req.Context(), "public")
+		if !enabled {
+			next(w, req)
+			return
+		}
+		cors.New(cfg).ServeHTTP(w, req, next)
 	})
 
 	n.UseFunc(x.CleanPath) // Prevent double slashes from breaking CSRF.

driver/config/config.go

@@ -459,7 +459,7 @@ func (p *Config) formatJsonErrors(schema []byte, err error) {
 	jsonschemax.FormatValidationErrorForCLI(p.stdOutOrErr, schema, err)
 }
 
-func (p *Config) CORS(ctx context.Context, iface string) cors.Options {
+func (p *Config) CORS(ctx context.Context, iface string) (cors.Options, bool) {
 	switch iface {
 	case "admin":
 		return p.cors(ctx, "serve.admin")
@@ -470,14 +470,13 @@ func (p *Config) CORS(ctx context.Context, iface string) cors.Options {
 	}
 }
 
-func (p *Config) cors(ctx context.Context, prefix string) cors.Options {
-	opts, _ := p.GetProvider(ctx).CORS(prefix, cors.Options{
+func (p *Config) cors(ctx context.Context, prefix string) (cors.Options, bool) {
+	return p.GetProvider(ctx).CORS(prefix, cors.Options{
 		AllowedMethods:   []string{"GET", "POST", "PUT", "PATCH", "DELETE"},
 		AllowedHeaders:   []string{"Authorization", "Content-Type", "Cookie"},
 		ExposedHeaders:   []string{"Content-Type", "Set-Cookie"},
 		AllowCredentials: true,
 	})
-	return opts
 }
 
 func (p *Config) Set(ctx context.Context, key string, value interface{}) error {