Setting CORS regex via defineString parameter is broken with firebase-functions v6.4.0 and higher (regression) and prevents updating

[sceee]

Related issues

See the following issue which was intended for something else but its partial fix caused this bug:
#1506 (comment)

Since this bug is buried within that other issue and is a regression in v6.4.0 and above, I am rasing this (separate) issue here again to give it more visibility as it blocks updates to v6.4.0 and above.

[REQUIRED] Version info

node: v24.12.0

firebase-functions: v6.4.0

firebase-tools: 15.0.0

firebase-admin: 13.6.0

[REQUIRED] Test case

I was doing something like this which worked prior to v6.4.0:
.env:

ALLOWED_CORS_ORIGINS="^https:\/\/(some|other)\.example\.com$"

export const environmentVariableAllowedCorsOrigins = defineString('ALLOWED_CORS_ORIGINS')


const corsOptions = environmentVariableAllowedCorsOrigins as unknown as string

export const myFn = onCall({
  cors: corsOptions
}, ...
)

...however, this fails now since updating to firebase-functions@6.4.0 or higher (also v7.0.1) with the following message in Chrome:

Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains the invalid value '^https://(some|other).example.com$'. Have the server send the header with a valid value.

Obviously, the incorrect Access-Control-Allow-Origin header is provided to the client with response to the preflight request - it should only report the actual host but it returns the whole regex as string now.

When I try the following (basically used from the #1688 PR's tests), it fails when starting the emulator:

ALLOWED_CORS_ORIGINS="['example.com','example2.com']"

const corsOptions = defineList('ALLOWED_CORS_ORIGINS')

export const myFn = onCall({
  cors: corsOptions
}, ...
)

It fails when starting the emulator with the following error:

Serving at port XXXX

{"severity":"WARNING","message":"params.ALLOWED_CORS_ORIGINS.value() invoked during function deployment, instead of during runtime."}

{"severity":"WARNING","message":"This is usually a mistake. In configs, use Params directly without calling .value()."}
{"severity":"WARNING","message":"example: { memory: memoryParam } not { memory: memoryParam.value() }"}

SyntaxError: "undefined" is not valid JSON

This means providing a CORS option that needs to be a regex (or multiple single strings) based on a defineString parameter is now broken since v6.4.0 and I cannot update to v6.4.0 or higher until this is fixed as it will break production.

[REQUIRED] Steps to reproduce

See repro above.

[REQUIRED] Expected behavior

After updating to v6.4.0 or higher, CORS can be set via regex (or at least multiple single strings) based on a defineString parameter.

[REQUIRED] Actual behavior

See error messages above

Were you able to successfully deploy your functions?

No, this breaks CORS during runtime (thus breaks function calls) and tests (when using emulator).

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[CorieW]

Hi @sceee. Thanks for reporting this issue! We've received it and will review it as soon as possible.

[CorieW]

Looks similar to #1773