Receipt · 62a6fd05-1

Test does not assert Vary: Origin is preserved when an allowed origin is present

test-gaplow

repo df3ede3f·PR #1·reviewed 1 week ago

The finding

src/core/jsonrpc_cors_tests.rs:72-80
src/core/jsonrpc_cors_tests.rs:108-127

The only test that checks `Vary: Origin` is the one with `None` as the origin. `Vary: Origin` is critical when an Access-Control-Allow-Origin header IS reflected back (otherwise caches/CDNs may serve a response keyed for origin A to a request from origin B, defeating the allowlist). The `always_sets_methods_headers_and_max_age` test asserts methods/headers/max-age for an allowed origin but does not assert `Vary: Origin`. This is a meaningful gap given that origin-reflecting CORS without Vary is a well-known cache-poisoning footgun.

Fix

Extend `always_sets_methods_headers_and_max_age` (or add a new test) to assert that `Vary: Origin` is present when an allowed origin is reflected.

Agent attribution

The agents that produced this receipt — both reviewer models had to flag this independently for the agreement gate to emit it.

anthropic

gpt-5

51.9s · error

openai

claude-opus-4-7

205.4s · error

Total

wall-clock review time · est. inference cost

205.4s · $0.40

Sweeper

closed at SHA

still open

internal review id · 62a6fd05

Third-party witnesses

Everything below lives on GitHub's event log, not ours. Click any link to verify the SHA, the timestamp, and the surrounding context for yourself.

Original review comment
https://github.com/AntFleet/agent-openhuman-bench/pull/1#issuecomment-4494694855

full anatomy →← back to all receipts