Restrict CORS on progress SSE endpoint to avoid cross-origin data exposure

[johnson2006christopher]

Summary

The progress SSE API currently sets a wildcard CORS header, which allows any origin to read event-stream responses. This is likely broader than needed for authenticated, user-scoped progress updates.

Location

• app/api/progress/[progressId]/route.ts

Current behavior

The endpoint response includes:

• Access-Control-Allow-Origin: *

Because this endpoint returns user-related progress events, a wildcard origin policy may increase risk unnecessarily.

Expected behavior

Use a stricter CORS policy for this route, for example:

1. Remove the wildcard header entirely if cross-origin access is not required.
2. Or set a specific allowed origin from config/environment if cross-origin access is required.

Why this matters

• Reduces accidental exposure of event-stream data to arbitrary origins.
• Aligns endpoint behavior with least-privilege security principles.
• Good small hardening improvement with low implementation risk.

Proposed change

In app/api/progress/[progressId]/route.ts:

1. Remove Access-Control-Allow-Origin: *
2. Keep existing SSE headers needed for streaming.
3. If needed, add an allowlist-based origin policy later via config.

Acceptance criteria

• The progress SSE endpoint no longer returns wildcard CORS.
• Existing authenticated progress streaming still works in the app UI.
• No regression in progress updates during file analysis/import flows.

Additional context

I am new to open source contributions and would like to work on this as a first small PR. Happy to follow maintainer guidance on the preferred CORS approach.

[lcrostarosa]

+1

[johnson2006christopher]

i have solved the problem , grant me permission to publish my branch , the branch's name is fix/progress-sse-cors