github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Ensure app-cdn CORS is not overridden by cors_origin setting (#24661)

Browse Source 
We add `Access-Control-Allow-Origin: *` to all asset requests which are requested via a configured CDN. This is particularly important now that we're using browser-native `import()` to load the highlightjs bundle. Unfortunately, user-configurable 'cors_origins' site setting was overriding the wldcard value on CDN assets and causing CORS errors.

This commit updates the logic to give the `*` value precedence, and adds a spec for the situation. It also invalidates the cache of hljs assets (because CDNs will have cached the bad Access-Control-Allow-Origin header).

The rack-cors middleware is also slightly tweaked so that it is always inserted. This makes things easier to test and more consistent.
This commit is contained in:
David Taylor
2023-12-01 12:57:11 +00:00
committed by GitHub
parent b72a177fb3
commit ecf7a4f0c6
4 changed files with 43 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
spec/lib/hijack_spec.rb
View File

@ -73,6 +73,7 @@ RSpec.describe Hijack do
it "handles cors" do
SiteSetting.cors_origins = "www.rainbows.com"
global_setting :enable_cors, true
app =
lambda do |env|