From ff9736dbe65383352255b19c8083ac81111f4770 Mon Sep 17 00:00:00 2001
From: Adam Ladachowski <adam.ladachowski@gmail.com>
Date: Sun, 15 Feb 2026 23:53:53 +0100
Subject: [PATCH] Fix CORS: allow_credentials must be False for wildcard
 origins

CORS spec doesn't allow credentials with wildcard origins.
This was causing 403 for all crossorigin module preloads.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 tensors/server/__init__.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tensors/server/__init__.py b/tensors/server/__init__.py
index ccf56c0..56587a3 100644
--- a/tensors/server/__init__.py
+++ b/tensors/server/__init__.py
@@ -49,11 +49,11 @@ def create_app() -> FastAPI:
         redoc_url=None,
     )
 
-    # CORS - allow all origins
+    # CORS - allow all origins (credentials=False required for wildcard origin)
     app.add_middleware(
         CORSMiddleware,
         allow_origins=["*"],
-        allow_credentials=True,
+        allow_credentials=False,
         allow_methods=["*"],
         allow_headers=["*"],
     )