From b9fbf92461932f6ffb2f4e41b48ba7aed142eeaf Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Thu, 2 Oct 2025 08:57:14 +0200
Subject: [PATCH] proxy(cors): make ACAO opt-in; remove hardcoded default

Stop forcing Access-Control-Allow-Origin to $scheme://$host. This default broke Element (element.infinito.nexus) -> Synapse (matrix.infinito.nexus) CORS and blocked login. Now ACAO is only set when 'aca_origin' is provided; otherwise we defer to the upstream app (e.g., Synapse) to emit correct CORS headers. Also convert top comments to Jinja block comment.

Discussion & debugging details: https://chatgpt.com/share/68de2236-4aec-800f-adc5-d025922c8753
---
 .../templates/headers/access_control_allow.conf.j2        | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2 b/roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2
index 3ec50101..2c1436e1 100644
--- a/roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2
+++ b/roles/sys-svc-proxy/templates/headers/access_control_allow.conf.j2
@@ -1,12 +1,10 @@
-# Configure CORS headers dynamically based on role variables.
-# If no variable is defined, defaults are applied (e.g. same-origin).
-# Discussion: https://chat.openai.com/share/2671b961-c1b0-472d-bae2-2804d0455e8a
+{#  Configure CORS headers dynamically based on role variables.
+    If no variable is defined, defaults are applied (e.g. same-origin).
+    Discussion: https://chat.openai.com/share/2671b961-c1b0-472d-bae2-2804d0455e8a #}
 
 {# Access-Control-Allow-Origin #}
 {% if aca_origin is defined %}
 add_header 'Access-Control-Allow-Origin' {{ aca_origin }};
-{% else %}
-add_header 'Access-Control-Allow-Origin' $scheme://$host always;
 {% endif %}
 
 {# Access-Control-Allow-Credentials #}