envoyproxy/gateway

Allow for non http(s) schemes in securityPolicy

Open

#9.014 geöffnet am 16. Mai 2026

Auf GitHub ansehen
 (4 Kommentare) (0 Reaktionen) (0 zugewiesene Personen)Go (802 Forks)auto 404
help wanted

Repository-Metriken

Stars
 (2.871 Stars)
PR-Merge-Metriken
 (PR-Metriken ausstehend)

Beschreibung

The current SecurityPolicy CRD restricts the CORS filter's allowed origins to http(s) schemes only.

Is this intentional in order to conform with the HTTPRoute CORS definition?

I think it would be reasonable to allow non-HTTP(S) schemes here as well. The use case is admittedly niche, and anyone who really needs this could locally patch the CRD and move on, but I cannot think of any rationale for this restriction to begin with.

Contributor Guide