From 05e170f3b778630c22cb3585351cea7f38f16181 Mon Sep 17 00:00:00 2001 From: Wiktor Starczewski Date: Tue, 24 Feb 2026 23:07:22 +0100 Subject: [PATCH 1/5] fix(rpc): move CORS layer above AcceptHeaderLayer When AcceptHeaderLayer rejects a request due to an unsupported SDK version, it short-circuits the response via futures::future::ready() which bypasses all downstream middleware. Since the CORS layer was below AcceptHeaderLayer, rejection responses had no CORS headers, causing browsers to block the error entirely. --- crates/rpc/src/server/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crates/rpc/src/server/mod.rs b/crates/rpc/src/server/mod.rs index 2299072073..cf0ef29d55 100644 --- a/crates/rpc/src/server/mod.rs +++ b/crates/rpc/src/server/mod.rs @@ -84,12 +84,12 @@ impl Rpc { .layer(CatchPanicLayer::custom(catch_panic_layer_fn)) .layer(TraceLayer::new_for_grpc().make_span_with(grpc_trace_fn)) .layer(HealthCheckLayer) + .layer(cors_for_grpc_web_layer()) .layer( AcceptHeaderLayer::new(&rpc_version, genesis.commitment()) .with_genesis_enforced_method("SubmitProvenTransaction") .with_genesis_enforced_method("SubmitProvenBatch"), ) - .layer(cors_for_grpc_web_layer()) // Enables gRPC-web support. .layer(GrpcWebLayer::new()) .add_service(api_service) From 3c6a043504ec2baa6889bcfd3594143db3ee2543 Mon Sep 17 00:00:00 2001 From: Wiktor Starczewski Date: Tue, 24 Feb 2026 23:10:34 +0100 Subject: [PATCH 2/5] chore: add changelog entry for CORS layer fix --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2e3fa5f6c8..d62ab3849f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## v0.13.5 (2026-02-19) +- Fixed CORS headers missing from version-rejection responses by reordering the CORS middleware above `AcceptHeaderLayer` ([#1707](https://github.com/0xMiden/node/pull/1707)). - OpenTelemetry traces are now flushed before program termination on panic ([#1643](https://github.com/0xMiden/miden-node/pull/1643)). - Added support for the note transport layer in the network monitor ([#1660](https://github.com/0xMiden/miden-node/pull/1660)). - Debian packages now include debug symbols ([#1666](https://github.com/0xMiden/miden-node/pull/1666)). From 75dc18dc9a49366552295d989f906c51ef46c1ee Mon Sep 17 00:00:00 2001 From: Wiktor Starczewski Date: Tue, 24 Feb 2026 23:10:51 +0100 Subject: [PATCH 3/5] chore: move changelog entry to v0.13.6 (TBD) --- CHANGELOG.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d62ab3849f..8f85acda03 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,11 @@ # Changelog -## v0.13.5 (2026-02-19) +## v0.13.6 (TBD) - Fixed CORS headers missing from version-rejection responses by reordering the CORS middleware above `AcceptHeaderLayer` ([#1707](https://github.com/0xMiden/node/pull/1707)). + +## v0.13.5 (2026-02-19) + - OpenTelemetry traces are now flushed before program termination on panic ([#1643](https://github.com/0xMiden/miden-node/pull/1643)). - Added support for the note transport layer in the network monitor ([#1660](https://github.com/0xMiden/miden-node/pull/1660)). - Debian packages now include debug symbols ([#1666](https://github.com/0xMiden/miden-node/pull/1666)). From 94ac0bae8e447302e7cdc0c35f15a13e2c962920 Mon Sep 17 00:00:00 2001 From: Wiktor Starczewski Date: Wed, 25 Feb 2026 13:32:04 +0100 Subject: [PATCH 4/5] Update crates/rpc/src/server/mod.rs Co-authored-by: Mirko <48352201+Mirko-von-Leipzig@users.noreply.github.com> --- crates/rpc/src/server/mod.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/crates/rpc/src/server/mod.rs b/crates/rpc/src/server/mod.rs index cf0ef29d55..db860bf4d5 100644 --- a/crates/rpc/src/server/mod.rs +++ b/crates/rpc/src/server/mod.rs @@ -84,6 +84,9 @@ impl Rpc { .layer(CatchPanicLayer::custom(catch_panic_layer_fn)) .layer(TraceLayer::new_for_grpc().make_span_with(grpc_trace_fn)) .layer(HealthCheckLayer) + // Note: must come before the accept layer, as otherwise accept rejections + // do _not_ get CORS headers applied, masking the accept error in + // web-clients (which would experience CORS rejection). .layer(cors_for_grpc_web_layer()) .layer( AcceptHeaderLayer::new(&rpc_version, genesis.commitment()) From cc4243662a4ff904057c96a6d5b5f8c73b160309 Mon Sep 17 00:00:00 2001 From: Wiktor Starczewski Date: Wed, 25 Feb 2026 13:32:18 +0100 Subject: [PATCH 5/5] Update CHANGELOG.md Co-authored-by: Mirko <48352201+Mirko-von-Leipzig@users.noreply.github.com> --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f85acda03..960932062f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## v0.13.6 (TBD) -- Fixed CORS headers missing from version-rejection responses by reordering the CORS middleware above `AcceptHeaderLayer` ([#1707](https://github.com/0xMiden/node/pull/1707)). +- Fixed CORS headers missing from version-rejection responses ([#1707](https://github.com/0xMiden/node/pull/1707)). ## v0.13.5 (2026-02-19)