discourse

mirror of https://github.com/discourse/discourse.git synced 2025-06-18 03:06:02 +08:00

Files

David Taylor 27227c9ece DEV: Simplify CORS logic for public asset routes (#33106 )

Previously we would check the request for a matching CDN hostname before
applying the `Access-Control-Allow-Origin` header. That logic requires
the CDN to include its public-facing hostname in the `Host` header,
which is not always the case.

Since we are only running this `apply_cdn_headers` before_action on
publicly-accessible asset routes, we can simplify things so that the
`Access-Control-Allow-Origin: *` header is always included. That will
make CDN config requirements much more relaxed.

At the moment, this is primarily relevant to the HighlightJsController
routes, which are loaded using native JS `type=module`. But in the near
future, we plan to expand our use of `type=module` to more critical JS
assets like translations and themes.

Also drops the `Access-Control-Allow-Methods` header from these
responses. That isn't needed for `GET` and `HEAD` requests.

2025-06-09 08:58:27 +01:00

anonymous_cache.rb

DEV: Add new key for anon cache for localization (#32640 )

2025-05-08 14:30:03 +08:00

csp_script_nonce_injector.rb

DEV: Memoize CSP nonce placeholder on response (#25724 )

2024-02-16 12:15:55 +00:00

default_headers.rb

DEV: ensure Rails application default headers are present in responses (#31619 )

2025-03-05 13:19:09 +08:00

discourse_public_exceptions.rb

DEV: Fix Lint/ShadowingOuterLocalVariable (#32036 )