Revert "fix(execute): block cross-origin session-authenticated workflow runs (#5062)"

This reverts commit 67e02fa.

Author: TheodoreSpeaks

apps/sim/app/api/workflows/[id]/execute/route.async.test.ts

@@ -194,26 +194,6 @@ describe('workflow execute async route', () => {
     )
   })
 
-  it('rejects cross-origin session requests before authorization work', async () => {
-    const req = createMockRequest(
-      'POST',
-      { input: { hello: 'world' } },
-      {
-        'Content-Type': 'application/json',
-        'Sec-Fetch-Site': 'cross-site',
-      }
-    )
-    const params = Promise.resolve({ id: 'workflow-1' })
-
-    const response = await POST(req, { params })
-    const body = await response.json()
-
-    expect(response.status).toBe(403)
-    expect(body.error).toBe('Access denied')
-    expect(mockAuthorizeWorkflowByWorkspacePermission).not.toHaveBeenCalled()
-    expect(mockEnqueue).not.toHaveBeenCalled()
-  })
-
   it('rejects oversized request bodies before authorization work', async () => {
     const req = createMockRequest(
       'POST',

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -20,7 +20,6 @@ import {
   getTimeoutErrorMessage,
   isTimeoutError,
 } from '@/lib/core/execution-limits'
-import { isCrossOriginSessionRequest } from '@/lib/core/security/same-origin'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import {
@@ -394,17 +393,6 @@ async function handleExecutePost(
 
   try {
     const auth = await checkHybridAuth(req, { requireWorkflowId: false })
-
-    // CSRF guard: reject session-cookie execution that is provably cross-origin
-    // (a different site driving the user's browser). Scoped to session auth —
-    // API-key / public-API / internal-JWT callers don't use cookies. This is not
-    // a defense against a non-browser client forging headers; that surface is
-    // covered by the credit and execution rate-limit gates.
-    if (auth.success && auth.authType === AuthType.SESSION && isCrossOriginSessionRequest(req)) {
-      reqLogger.warn('Rejected cross-origin session-authenticated execute request')
-      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
-    }
-
     const isMcpBridgeRequest =
       auth.authType === AuthType.INTERNAL_JWT && req.headers.get(MCP_TOOL_BRIDGE_HEADER) === 'true'
     const useMcpBridgeAuthenticatedUserAsActor =