From 04a21927b2d4f43808fd7046ee9c561257adc252 Mon Sep 17 00:00:00 2001
From: Dinawo <dinawo443@gmail.com>
Date: Sun, 26 Oct 2025 00:54:39 +0200
Subject: [PATCH] Fix CORS blocking errors for CDN resources (v1.2.1-beta)

Fixed ERR_BLOCKED_BY_RESPONSE.NotSameOrigin errors by implementing proper CORS headers for public resources:
- Added Access-Control-Allow-Origin: * for public assets
- Changed Cross-Origin-Resource-Policy to cross-origin for CDN files
- Maintained strict security for sensitive routes
- Added cache control for optimal CDN performance

Affected files:
- /public/* (images, CSS, JS, fonts)
- /cdn-files/* (uploaded files)
- /attachments (file serving)
---
 Middlewares/securityHeadersMiddleware.js | 22 ++++++++++++++++++++--
 package.json                             |  2 +-
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/Middlewares/securityHeadersMiddleware.js b/Middlewares/securityHeadersMiddleware.js
index ba34527..7160f45 100644
--- a/Middlewares/securityHeadersMiddleware.js
+++ b/Middlewares/securityHeadersMiddleware.js
@@ -67,8 +67,26 @@ const securityHeadersMiddleware = (req, res, next) => {
     // Cross-Origin-Opener-Policy - Isole le contexte de navigation
     res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
 
-    // Cross-Origin-Resource-Policy - Contrôle le partage de ressources
-    res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
+    // CORS Headers pour CDN - Permet l'accès cross-origin aux ressources publiques
+    const isPublicResource = req.path.startsWith('/public/') ||
+                             req.path.startsWith('/cdn-files/') ||
+                             req.path.startsWith('/attachments') ||
+                             req.path.match(/\.(png|jpg|jpeg|gif|svg|webp|ico|css|js|woff|woff2|ttf|eot)$/i);
+
+    if (isPublicResource) {
+        // Autoriser toutes les origines pour les ressources publiques du CDN
+        res.setHeader('Access-Control-Allow-Origin', '*');
+        res.setHeader('Access-Control-Allow-Methods', 'GET, HEAD, OPTIONS');
+        res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Accept, Range');
+        res.setHeader('Access-Control-Expose-Headers', 'Content-Length, Content-Range, Content-Type');
+        res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
+
+        // Cache control pour les ressources statiques
+        res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
+    } else {
+        // Routes sensibles : garder la sécurité stricte
+        res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
+    }
 
     next();
 };
diff --git a/package.json b/package.json
index f2c7a73..399bbd4 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cdn-app/insider-myaxrin-labs-dinawo",
-  "version": "1.2.0-beta",
+  "version": "1.2.1-beta",
   "description": "",
   "main": "server.js",
   "scripts": {