From 1636f7ff5fd78afc1bd7bc80a7970478d0821138 Mon Sep 17 00:00:00 2001
From: Frank Yang <frank.ekn@gmail.com>
Date: Mon, 2 Mar 2026 09:11:24 +0800
Subject: [PATCH] fix(gateway): support wildcard in controlUi.allowedOrigins
 for remote access (#31088)

* fix(gateway): support wildcard in controlUi.allowedOrigins for remote access

* build: regenerate host env security policy swift

---------

Co-authored-by: Peter Steinberger <steipete@gmail.com>
---
 src/gateway/origin-check.test.ts | 9 +++++++++
 src/gateway/origin-check.ts      | 8 ++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/gateway/origin-check.test.ts b/src/gateway/origin-check.test.ts
index e267afbf0..e0dd33a80 100644
--- a/src/gateway/origin-check.test.ts
+++ b/src/gateway/origin-check.test.ts
@@ -36,6 +36,15 @@ describe("checkBrowserOrigin", () => {
     expect(result.ok).toBe(true);
   });
 
+  it("accepts wildcard allowedOrigins", () => {
+    const result = checkBrowserOrigin({
+      requestHost: "gateway.example.com:18789",
+      origin: "https://any-origin.example.com",
+      allowedOrigins: ["*"],
+    });
+    expect(result.ok).toBe(true);
+  });
+
   it("rejects missing origin", () => {
     const result = checkBrowserOrigin({
       requestHost: "gateway.example.com:18789",
diff --git a/src/gateway/origin-check.ts b/src/gateway/origin-check.ts
index 7ba207416..0900ed678 100644
--- a/src/gateway/origin-check.ts
+++ b/src/gateway/origin-check.ts
@@ -32,10 +32,10 @@ export function checkBrowserOrigin(params: {
     return { ok: false, reason: "origin missing or invalid" };
   }
 
-  const allowlist = (params.allowedOrigins ?? [])
-    .map((value) => value.trim().toLowerCase())
-    .filter(Boolean);
-  if (allowlist.includes(parsedOrigin.origin)) {
+  const allowlist = new Set(
+    (params.allowedOrigins ?? []).map((value) => value.trim().toLowerCase()).filter(Boolean),
+  );
+  if (allowlist.has("*") || allowlist.has(parsedOrigin.origin)) {
     return { ok: true };
   }