From d120db533aaef027057209a322c863558f36a370 Mon Sep 17 00:00:00 2001
From: Conan Scott <conanscott@gmail.com>
Date: Fri, 13 Mar 2026 07:22:42 +0000
Subject: [PATCH] fix(route): inject Origin header for native app canvas
 WebSocket auth

Native iOS/macOS apps do not send an Origin header in WebSocket connections.
The gateway checkBrowserOrigin() fails immediately on null origin before any
allowedOrigins check can run. Injecting Origin at the HAProxy ingress level
gives the gateway a valid origin to validate against the existing allowedOrigins
list (https://openclaw.apps.lab.apilab.us).

Related: openclaw/openclaw#24055, #35030, #35109
---
 manifests/route.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/manifests/route.yaml b/manifests/route.yaml
index b7009ae..02420b8 100644
--- a/manifests/route.yaml
+++ b/manifests/route.yaml
@@ -5,6 +5,14 @@ metadata:
   namespace: openclaw
 spec:
   host: openclaw.apps.lab.apilab.us
+  httpHeaders:
+    actions:
+      request:
+      - name: Origin
+        action:
+          type: Set
+          set:
+            value: "https://openclaw.apps.lab.apilab.us"
   to:
     kind: Service
     name: openclaw