github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-23 03:11:31 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

DEV: Simplify CORS logic for public asset routes (#33106)

Browse Source 
Previously we would check the request for a matching CDN hostname before
applying the `Access-Control-Allow-Origin` header. That logic requires
the CDN to include its public-facing hostname in the `Host` header,
which is not always the case.

Since we are only running this `apply_cdn_headers` before_action on
publicly-accessible asset routes, we can simplify things so that the
`Access-Control-Allow-Origin: *` header is always included. That will
make CDN config requirements much more relaxed.

At the moment, this is primarily relevant to the HighlightJsController
routes, which are loaded using native JS `type=module`. But in the near
future, we plan to expand our use of `type=module` to more critical JS
assets like translations and themes.

Also drops the `Access-Control-Allow-Methods` header from these
responses. That isn't needed for `GET` and `HEAD` requests.
This commit is contained in:
David Taylor
2025-06-09 08:58:27 +01:00
committed by GitHub
parent b1d4db17e3
commit 27227c9ece
4 changed files with 2 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/middleware/enforce_hostname.rb
View File

@ -17,7 +17,6 @@ module Middleware
allowed_hostnames = RailsMultisite::ConnectionManagement.current_db_hostnames
requested_hostname = env[Rack::HTTP_HOST]
env[Discourse::REQUESTED_HOSTNAME] = requested_hostname
env[Rack::HTTP_HOST] = allowed_hostnames.find { |h| h == requested_hostname } ||
Discourse.current_hostname_with_port