From 851d35032f29e8c9e499292e1bcdfe319643f21f Mon Sep 17 00:00:00 2001
From: Vasudevan Ramasamy <vasudevan.ramasamy@workday.com>
Date: Thu, 16 Oct 2025 11:22:39 -0700
Subject: [PATCH] Fixed environment level CORS validation with right substring
 check

---
 packages/server/src/utils/XSS.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/server/src/utils/XSS.ts b/packages/server/src/utils/XSS.ts
index 96bbab573cd..f5ca2541238 100644
--- a/packages/server/src/utils/XSS.ts
+++ b/packages/server/src/utils/XSS.ts
@@ -28,10 +28,15 @@ export function getCorsOptions(): any {
     const corsOptions = {
         origin: function (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) {
             const allowedOrigins = getAllowedCorsOrigins()
-            if (!origin || allowedOrigins == '*' || allowedOrigins.indexOf(origin) !== -1) {
+            if (!origin || allowedOrigins == '*') {
                 callback(null, true)
             } else {
-                callback(null, false)
+                const allowedOriginsList = allowedOrigins.split(',').map((o) => o.trim().toLowerCase())
+                if (allowedOriginsList.includes(origin.toLowerCase())) {
+                    callback(null, true)
+                } else {
+                    callback(null, false)
+                }
             }
         }
     }