fix(gateway): enforce trusted-proxy HTTP origin checks (#58229)

* fix(gateway): enforce trusted-proxy HTTP origin checks

* Update CHANGELOG.md

src/gateway/http-utils.authorize-request.test.ts

@@ -5,6 +5,16 @@ vi.mock("./auth.js", () => ({
   authorizeHttpGatewayConnect: vi.fn(),
 }));
 
+vi.mock("../config/config.js", () => ({
+  loadConfig: vi.fn(() => ({
+    gateway: {
+      controlUi: {
+        allowedOrigins: ["https://control.example.com"],
+      },
+    },
+  })),
+}));
+
 vi.mock("./http-common.js", () => ({
   sendGatewayAuthFailure: vi.fn(),
 }));
@@ -66,6 +76,39 @@ describe("authorizeGatewayHttpRequestOrReply", () => {
     });
   });
 
+  it("forwards browser-origin policy into HTTP auth", async () => {
+    vi.mocked(authorizeHttpGatewayConnect).mockResolvedValue({
+      ok: true,
+      method: "trusted-proxy",
+      user: "operator",
+    });
+
+    await authorizeGatewayHttpRequestOrReply({
+      req: createReq({
+        host: "gateway.example.com",
+        origin: "https://evil.example",
+      }),
+      res: {} as ServerResponse,
+      auth: {
+        mode: "trusted-proxy",
+        allowTailscale: false,
+        trustedProxy: { userHeader: "x-user" },
+      },
+      trustedProxies: ["127.0.0.1"],
+    });
+
+    expect(vi.mocked(authorizeHttpGatewayConnect)).toHaveBeenCalledWith(
+      expect.objectContaining({
+        browserOriginPolicy: {
+          requestHost: "gateway.example.com",
+          origin: "https://evil.example",
+          allowedOrigins: ["https://control.example.com"],
+          allowHostHeaderOriginFallback: false,
+        },
+      }),
+    );
+  });
+
   it("replies with auth failure and returns null when auth fails", async () => {
     const res = {} as ServerResponse;
     vi.mocked(authorizeHttpGatewayConnect).mockResolvedValue({