Follow-up from #4908 (Origin header validation for DNS-rebind protection)
#4908 wires the origin validation middleware into the thv run / thv proxy / proxyrunner paths. vMCP composes its own middleware chain (via factory.NewIncomingAuthMiddleware and pkg/vmcp/server/server.go's Handler) and does not reference the origin package, so vMCP-fronted servers do not currently enforce Origin-header validation.
Scope
- Integrate
origin validation (or the shared origin.ResolveAllowedOrigins derivation) into the vMCP incoming middleware chain.
- Decide how the allowlist is configured for vMCP (CLI flag / config file / CRD), consistent with the workload-CRD follow-up.
Context
Follow-up from #4908 (Origin header validation for DNS-rebind protection)
#4908 wires the
originvalidation middleware into thethv run/thv proxy/ proxyrunner paths. vMCP composes its own middleware chain (viafactory.NewIncomingAuthMiddlewareandpkg/vmcp/server/server.go'sHandler) and does not reference theoriginpackage, so vMCP-fronted servers do not currently enforce Origin-header validation.Scope
originvalidation (or the sharedorigin.ResolveAllowedOriginsderivation) into the vMCP incoming middleware chain.Context