@@ -412,12 +412,11 @@ private void handleSSE(org.tinystruct.application.Context context, Request<HttpS
412412 SSEPushManager pushManager = getAppropriatePushManager (isMCP );
413413 SSEClient client = pushManager .register (sessionId , response );
414414
415- if (call instanceof Builder ) {
415+ if (call instanceof Builder ) {
416416 pushManager .push (sessionId , (Builder ) call );
417- }
418- else if (call instanceof String ) {
417+ } else if (call instanceof String ) {
419418 Builder builder = new Builder ();
420- builder .parse ((String )call );
419+ builder .parse ((String ) call );
421420 pushManager .push (sessionId , builder );
422421 }
423422
@@ -452,20 +451,26 @@ else if(call instanceof String) {
452451 * @throws IOException if an I/O error occurs
453452 */
454453 private void handleRequest (String query , org .tinystruct .application .Context context , Request request , Response <HttpServletResponse , ServletOutputStream > response , Action .Mode mode ) throws IOException , ApplicationException {
454+ String origin = request .headers ().get (Header .ORIGIN ).toString ();
455+
456+ // Allow origins: prefer explicit setting, otherwise echo Origin or wildcard
457+ String allowOrigin = settings .getOrDefault ("cors.allowed.origins" , origin != null ? origin : "*" );
458+ response .addHeader ("Access-Control-Allow-Origin" , allowOrigin );
459+ // Make responses vary by Origin when echoing it
460+ if (origin != null ) {
461+ response .addHeader ("Vary" , "Origin" );
462+ }
463+
464+ // Allow credentials if explicitly enabled in settings
465+ if ("true" .equalsIgnoreCase (settings .get ("cors.allow.credentials" ))) {
466+ response .addHeader ("Access-Control-Allow-Credentials" , "true" );
467+ }
468+
455469 // Handle CORS preflight (OPTIONS) requests up-front: these have no body.
456470 if ("OPTIONS" .equalsIgnoreCase (request .method ().name ())) {
457- String origin = request .headers ().get (Header .ORIGIN ).toString ();
458471 String acrMethod = request .headers ().get (Header .ACCESS_CONTROL_REQUEST_METHOD ).toString ();
459472 String acrHeaders = request .headers ().get (Header .ACCESS_CONTROL_REQUEST_HEADERS ).toString ();
460473
461- // Allow origins: prefer explicit setting, otherwise echo Origin or wildcard
462- String allowOrigin = settings .getOrDefault ("cors.allowed.origins" , origin != null ? origin : "*" );
463- response .addHeader ("Access-Control-Allow-Origin" , allowOrigin );
464- // Make responses vary by Origin when echoing it
465- if (origin != null ) {
466- response .addHeader ("Vary" , "Origin" );
467- }
468-
469474 // Allow methods: prefer configured list, otherwise echo requested or use sensible defaults
470475 String allowMethods = settings .getOrDefault ("cors.allowed.methods" , acrMethod != null ? acrMethod : "GET,POST,PUT,DELETE,OPTIONS" );
471476 response .addHeader ("Access-Control-Allow-Methods" , allowMethods );
@@ -474,11 +479,6 @@ private void handleRequest(String query, org.tinystruct.application.Context cont
474479 String allowHeaders = settings .getOrDefault ("cors.allowed.headers" , acrHeaders != null ? acrHeaders : "Content-Type,Authorization" );
475480 response .addHeader ("Access-Control-Allow-Headers" , allowHeaders );
476481
477- // Allow credentials if explicitly enabled in settings
478- if ("true" .equalsIgnoreCase (settings .get ("cors.allow.credentials" ))) {
479- response .addHeader ("Access-Control-Allow-Credentials" , "true" );
480- }
481-
482482 // Cache the preflight response for a configurable duration (seconds)
483483 String maxAge = settings .getOrDefault ("cors.preflight.maxage" , "3600" );
484484 response .addHeader ("Access-Control-Max-Age" , maxAge );
0 commit comments