Skip to content

Core: Register CORS middleware before index.json route#33728

Merged
valentinpalkovic merged 1 commit intostorybookjs:nextfrom
jonathan-fulton:fix/cors-index-json-33724
Feb 2, 2026
Merged

Core: Register CORS middleware before index.json route#33728
valentinpalkovic merged 1 commit intostorybookjs:nextfrom
jonathan-fulton:fix/cors-index-json-33724

Conversation

@jonathan-fulton
Copy link
Copy Markdown
Contributor

@jonathan-fulton jonathan-fulton commented Jan 31, 2026
edited by coderabbitai bot
Loading

Description

Fixes #33724

The /index.json endpoint was missing CORS headers because the route handler was registered before the CORS middleware. This broke Storybook Composition when composing local Storybooks running on different ports.

Root Cause

The middleware registration order in dev-server.ts was:

  1. registerIndexJsonRoute() ❌ Route registered first
  2. app.use(compression(...))
  3. app.use(getAccessControlMiddleware(...)) ❌ CORS middleware registered after

Since the /index.json route handler sends the response directly without calling next(), the CORS middleware never had a chance to add headers.

Solution

Moved the middleware registration order so that CORS headers are applied to all routes:

  1. app.use(compression(...))
  2. app.use(getAccessControlMiddleware(...)) ✅ CORS middleware first
  3. app.use(getCachingMiddleware())
  4. registerIndexJsonRoute() ✅ Route registered after

Testing

  • Local testing with Storybook Composition confirms CORS headers are now present on /index.json
  • Verified Access-Control-Allow-Origin: * header is returned

What this fixes

  • Storybook Composition now works correctly across different ports
  • No more CORS errors when fetching /index.json from a composed Storybook

Summary by CodeRabbit

  • Bug Fixes
    • Fixed cross-origin access to the index endpoint to ensure proper functionality for requests from different domains.

✏️ Tip: You can customize this high-level summary in your review settings.

@jonathan-fulton
Fix: Register CORS middleware before index.json route
703fd09 
Fixes storybookjs#33724

The /index.json endpoint was missing CORS headers because the route
handler was registered before the CORS middleware. This broke Storybook
Composition when composing local Storybooks running on different ports.

The fix moves the middleware registration order so that:
1. Compression middleware is applied first
2. extendServer callback is called
3. CORS middleware (getAccessControlMiddleware) is registered
4. Caching middleware is registered
5. Route handlers are registered (including /index.json)

This ensures all routes receive proper CORS headers, fixing the
'Access-Control-Allow-Origin' header missing error for /index.json.
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Jan 31, 2026

📝 Walkthrough

Walkthrough

The dev server's /index.json route registration has been reordered to occur after CORS and caching middleware are initialized, ensuring the route properly receives CORS headers. A clarifying comment about CORS ordering was added alongside the reordering.

Changes

Cohort / File(s) Summary
Dev Server Middleware Ordering
code/core/src/core-server/dev-server.ts		 Reordered /index.json route registration to execute after CORS and caching middleware setup; added clarifying comment regarding CORS header ordering.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

✨ Finishing touches
  • 📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@valentinpalkovic valentinpalkovic changed the title Fix: Register CORS middleware before index.json route Core: Register CORS middleware before index.json route Feb 2, 2026
@valentinpalkovic valentinpalkovic self-assigned this Feb 2, 2026
@valentinpalkovic valentinpalkovic moved this to In Progress in Core Team Projects Feb 2, 2026
@valentinpalkovic valentinpalkovic merged commit 976cf98 into storybookjs:next Feb 2, 2026
118 of 126 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Core Team Projects Feb 2, 2026
This was referenced Feb 2, 2026
Merged
Closed
@valentinpalkovic valentinpalkovic added the needs qa Indicates that this needs manual QA during the upcoming minor/major release label Feb 13, 2026
@storybook-app-bot
Copy link
Copy Markdown

storybook-app-bot bot commented Feb 13, 2026

Package Benchmarks

Commit: 703fd09, ran on 13 February 2026 at 14:14:28 UTC

The following packages have significant changes to their size or dependencies:

@storybook/cli

Before After Difference
Dependency count 183 183 0
Self size 779 KB 776 KB 🎉 -3 KB 🎉
Dependency size 67.62 MB 67.57 MB 🎉 -50 KB 🎉
Bundle Size Analyzer Link Link

create-storybook

Before After Difference
Dependency count 50 50 0
Self size 1.04 MB 1000 KB 🎉 -44 KB 🎉
Dependency size 36.93 MB 36.93 MB 🎉 -6 KB 🎉
Bundle Size Analyzer node node

@storybook/preact

Before After Difference
Dependency count 2 2 0
Self size 23 KB 16 KB 🎉 -7 KB 🎉
Dependency size 32 KB 32 KB 0 B
Bundle Size Analyzer Link Link

@Sidnioulz Sidnioulz removed the needs qa Indicates that this needs manual QA during the upcoming minor/major release label Mar 17, 2026
@anoveldependencybot anoveldependencybot bot mentioned this pull request Mar 18, 2026
Merged
1 task
This was referenced Mar 18, 2026
Merged
Merged
Open
Merged
@anoveldependencybot anoveldependencybot bot mentioned this pull request Mar 18, 2026
Merged
1 task
This was referenced Mar 18, 2026
Merged
Merged
Open
@anoveldependencybot anoveldependencybot bot mentioned this pull request Mar 18, 2026
Merged
1 task
This was referenced Mar 18, 2026
Open
Open
@renovate renovate bot mentioned this pull request Apr 7, 2026
Merged
1 task
@renolh renolh bot mentioned this pull request Apr 8, 2026
Closed
1 task
This was referenced Apr 8, 2026
Closed
Merged
Open
Merged
@renolh renolh bot mentioned this pull request Apr 11, 2026
Open
1 task
This was referenced Apr 12, 2026
Merged
Open
Merged
Merged
Merged
Merged
Open
Open
Open
Open
Closed
Merged
@cultureamp-renovate cultureamp-renovate bot mentioned this pull request Apr 17, 2026
Closed
1 task
This was referenced Apr 17, 2026
Merged
Open
Open
Open
Open
Open
Open
Open
Open
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valentinpalkovic valentinpalkovic valentinpalkovic approved these changes

Assignees

@Sidnioulz Sidnioulz

@valentinpalkovic valentinpalkovic

Labels

bug ci:normal core

Projects

Core Team Projects
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug]: CORS headers missing from /index.json endpoint breaks composition in v10

3 participants

@jonathan-fulton @valentinpalkovic @Sidnioulz