From 2b735ce54acf9dacb85cfb4cf2a3048eba4e5dd4 Mon Sep 17 00:00:00 2001
From: HassanBahati <mukisabahati@gmail.com>
Date: Thu, 22 Jan 2026 12:48:26 +0300
Subject: [PATCH 1/3] fix: Remove false warning when using Expression in cors
 option

---
 spec/v2/providers/https.spec.ts | 74 ++++++++++++++++++++++++++++++++-
 src/v2/providers/https.ts       |  4 +-
 2 files changed, 75 insertions(+), 3 deletions(-)

diff --git a/spec/v2/providers/https.spec.ts b/spec/v2/providers/https.spec.ts
index 9ab5d52a8..a01be3bbc 100644
--- a/spec/v2/providers/https.spec.ts
+++ b/spec/v2/providers/https.spec.ts
@@ -32,7 +32,8 @@ import { FULL_ENDPOINT, MINIMAL_V2_ENDPOINT, FULL_OPTIONS, FULL_TRIGGER } from "
 import { onInit } from "../../../src/v2/core";
 import { Handler } from "express";
 import { genkit } from "genkit";
-import { clearParams, defineList, Expression } from "../../../src/params";
+import { clearParams, defineList, defineString, Expression } from "../../../src/params";
+import * as logger from "../../../src/logger";
 
 function request(args: {
   data?: any;
@@ -336,6 +337,45 @@ describe("onRequest", () => {
     await runHandler(func, req);
     expect(hello).to.equal("world");
   });
+
+  it("should not warn when using Expression-based cors config during deployment", async () => {
+    const loggerSpy = sinon.spy(logger, "warn");
+    const projectId = defineString("PROJECT_ID");
+
+    try {
+      process.env.PROJECT_ID = "test-project";
+      process.env.FUNCTIONS_CONTROL_API = "true";
+
+      const corsExpression = projectId.equals("test-project").thenElse(["http://localhost:8000"], []);
+      const func = https.onRequest(
+        {
+          cors: corsExpression,
+        },
+        (req, res) => {
+          res.send("42");
+        }
+      );
+
+      const req = request({
+        headers: {
+          referrer: "http://localhost:8000",
+          "content-type": "application/json",
+          origin: "http://localhost:8000",
+        },
+        method: "OPTIONS",
+      });
+
+      const response = await runHandler(func, req);
+
+      expect(response.status).to.equal(204);
+      expect(loggerSpy.called).to.be.false;
+    } finally {
+      delete process.env.PROJECT_ID;
+      delete process.env.FUNCTIONS_CONTROL_API;
+      clearParams();
+      loggerSpy.restore();
+    }
+  });
 });
 
 describe("onCall", () => {
@@ -568,6 +608,38 @@ describe("onCall", () => {
     expect(hello).to.equal("world");
   });
 
+  it("should not warn when using Expression-based cors config during deployment", async () => {
+    const loggerSpy = sinon.spy(logger, "warn");
+    const projectId = defineString("PROJECT_ID");
+
+    try {
+      process.env.PROJECT_ID = "test-project";
+      process.env.FUNCTIONS_CONTROL_API = "true";
+
+      const corsExpression = projectId.equals("test-project").thenElse(["http://localhost:5173"], []);
+      const func = https.onCall({ cors: corsExpression }, () => 42);
+
+      const req = request({
+        headers: {
+          referrer: "http://localhost:5173",
+          "content-type": "application/json",
+          origin: "http://localhost:5173",
+        },
+        method: "OPTIONS",
+      });
+
+      const response = await runHandler(func, req);
+
+      expect(response.status).to.equal(204);
+      expect(loggerSpy.called).to.be.false;
+    } finally {
+      delete process.env.PROJECT_ID;
+      delete process.env.FUNCTIONS_CONTROL_API;
+      clearParams();
+      loggerSpy.restore();
+    }
+  });
+
   describe("authPolicy", () => {
     before(() => {
       sinon.stub(debug, "isDebugFeatureEnabled").withArgs("skipTokenVerification").returns(true);
diff --git a/src/v2/providers/https.ts b/src/v2/providers/https.ts
index f38400029..8b322fd19 100644
--- a/src/v2/providers/https.ts
+++ b/src/v2/providers/https.ts
@@ -324,7 +324,7 @@ export function onRequest(
   handler = withErrorHandler(handler);
 
   if (isDebugFeatureEnabled("enableCors") || "cors" in opts) {
-    let origin = opts.cors instanceof Expression ? opts.cors.value() : opts.cors;
+    let origin = opts.cors instanceof Expression ? opts.cors.runtimeValue() : opts.cors;
     if (isDebugFeatureEnabled("enableCors")) {
       // Respect `cors: false` to turn off cors even if debug feature is enabled.
       origin = opts.cors === false ? false : true;
@@ -437,7 +437,7 @@ export function onCall<T = any, Return = any | Promise<any>, Stream = unknown>(
   let cors: string | boolean | RegExp | Array<string | RegExp> | undefined;
   if ("cors" in opts) {
     if (opts.cors instanceof Expression) {
-      cors = opts.cors.value();
+      cors = opts.cors.runtimeValue();
     } else {
       cors = opts.cors;
     }

From 7730830d9be5101e031975138b52bf491fbe37da Mon Sep 17 00:00:00 2001
From: HassanBahati <mukisabahati@gmail.com>
Date: Thu, 22 Jan 2026 16:53:34 +0300
Subject: [PATCH 2/3] tests: extract CORS expression test helper to reduce
 duplication

---
 spec/v2/providers/https.spec.ts | 110 +++++++++++++-------------------
 1 file changed, 45 insertions(+), 65 deletions(-)

diff --git a/spec/v2/providers/https.spec.ts b/spec/v2/providers/https.spec.ts
index a01be3bbc..e4a15ac0b 100644
--- a/spec/v2/providers/https.spec.ts
+++ b/spec/v2/providers/https.spec.ts
@@ -60,6 +60,41 @@ function request(args: {
   return ret;
 }
 
+async function testWarningForCorsExpression(
+  createFunc: (options: { cors: Expression<string[]> }) => https.HttpsFunction,
+  origin: string
+) {
+  const loggerSpy = sinon.spy(logger, "warn");
+  const projectId = defineString("PROJECT_ID");
+
+  try {
+    process.env.PROJECT_ID = "test-project";
+    process.env.FUNCTIONS_CONTROL_API = "true";
+
+    const corsExpression = projectId.equals("test-project").thenElse([origin], []);
+    const func = createFunc({ cors: corsExpression });
+
+    const req = request({
+      headers: {
+        referrer: origin,
+        "content-type": "application/json",
+        origin: origin,
+      },
+      method: "OPTIONS",
+    });
+
+    const response = await runHandler(func, req);
+
+    expect(response.status).to.equal(204);
+    expect(loggerSpy.called).to.be.false;
+  } finally {
+    delete process.env.PROJECT_ID;
+    delete process.env.FUNCTIONS_CONTROL_API;
+    clearParams();
+    loggerSpy.restore();
+  }
+}
+
 describe("onRequest", () => {
   beforeEach(() => {
     options.setGlobalOptions({});
@@ -339,42 +374,12 @@ describe("onRequest", () => {
   });
 
   it("should not warn when using Expression-based cors config during deployment", async () => {
-    const loggerSpy = sinon.spy(logger, "warn");
-    const projectId = defineString("PROJECT_ID");
-
-    try {
-      process.env.PROJECT_ID = "test-project";
-      process.env.FUNCTIONS_CONTROL_API = "true";
-
-      const corsExpression = projectId.equals("test-project").thenElse(["http://localhost:8000"], []);
-      const func = https.onRequest(
-        {
-          cors: corsExpression,
-        },
-        (req, res) => {
-          res.send("42");
-        }
-      );
-
-      const req = request({
-        headers: {
-          referrer: "http://localhost:8000",
-          "content-type": "application/json",
-          origin: "http://localhost:8000",
-        },
-        method: "OPTIONS",
-      });
-
-      const response = await runHandler(func, req);
-
-      expect(response.status).to.equal(204);
-      expect(loggerSpy.called).to.be.false;
-    } finally {
-      delete process.env.PROJECT_ID;
-      delete process.env.FUNCTIONS_CONTROL_API;
-      clearParams();
-      loggerSpy.restore();
-    }
+    await testWarningForCorsExpression(
+      (opts) => https.onRequest(opts, (req, res) => {
+        res.send("42");
+      }),
+      "http://localhost:8000"
+    );
   });
 });
 
@@ -609,35 +614,10 @@ describe("onCall", () => {
   });
 
   it("should not warn when using Expression-based cors config during deployment", async () => {
-    const loggerSpy = sinon.spy(logger, "warn");
-    const projectId = defineString("PROJECT_ID");
-
-    try {
-      process.env.PROJECT_ID = "test-project";
-      process.env.FUNCTIONS_CONTROL_API = "true";
-
-      const corsExpression = projectId.equals("test-project").thenElse(["http://localhost:5173"], []);
-      const func = https.onCall({ cors: corsExpression }, () => 42);
-
-      const req = request({
-        headers: {
-          referrer: "http://localhost:5173",
-          "content-type": "application/json",
-          origin: "http://localhost:5173",
-        },
-        method: "OPTIONS",
-      });
-
-      const response = await runHandler(func, req);
-
-      expect(response.status).to.equal(204);
-      expect(loggerSpy.called).to.be.false;
-    } finally {
-      delete process.env.PROJECT_ID;
-      delete process.env.FUNCTIONS_CONTROL_API;
-      clearParams();
-      loggerSpy.restore();
-    }
+    await testWarningForCorsExpression(
+      (opts) => https.onCall(opts, () => 42),
+      "http://localhost:5173"
+    );
   });
 
   describe("authPolicy", () => {

From 907596057465b8a84d99628567e5fea02ffeb55a Mon Sep 17 00:00:00 2001
From: HassanBahati <mukisabahati@gmail.com>
Date: Thu, 22 Jan 2026 17:11:08 +0300
Subject: [PATCH 3/3] chore: update CHANGELOG.md

---
 CHANGELOG.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7b0b7d392..4aea12203 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1 +1,3 @@
+- fix: Remove false warning when using Expression in cors option #1802
+
 - Fixed issue with missing dependency on `graphql`. (#1795)