fix(route): inject Origin header for native app canvas WebSocket auth

Native iOS/macOS apps do not send an Origin header in WebSocket connections. The gateway checkBrowserOrigin() fails immediately on null origin before any allowedOrigins check can run. Injecting Origin at the HAProxy ingress level gives the gateway a valid origin to validate against the existing allowedOrigins list (https://openclaw.apps.lab.apilab.us). Related: openclaw/openclaw#24055, #35030, #35109
2026-03-13 07:22:42 +00:00
parent 514f78a118
commit d120db533a
1 changed files with 8 additions and 0 deletions
--- a/manifests/route.yaml
+++ b/manifests/route.yaml
@@ -5,6 +5,14 @@ metadata:
  namespace: openclaw
 spec:
  host: openclaw.apps.lab.apilab.us
+  httpHeaders:
+    actions:
+      request:
+      - name: Origin
+        action:
+          type: Set
+          set:
+            value: "https://openclaw.apps.lab.apilab.us"
  to:
    kind: Service
    name: openclaw