Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CORS blocking errors for CDN resources (v1.2.1-beta)
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source 
Fixed ERR_BLOCKED_BY_RESPONSE.NotSameOrigin errors by implementing proper CORS headers for public resources:
- Added Access-Control-Allow-Origin: * for public assets
- Changed Cross-Origin-Resource-Policy to cross-origin for CDN files
- Maintained strict security for sensitive routes
- Added cache control for optimal CDN performance

Affected files:
- /public/* (images, CSS, JS, fonts)
- /cdn-files/* (uploaded files)
- /attachments (file serving)
This commit is contained in:
.dinawo
2025-10-26 00:54:39 +02:00
parent 2df1b28962
commit 04a21927b2
2 changed files with 21 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
Middlewares/securityHeadersMiddleware.js
View File

@@ -67,8 +67,26 @@ const securityHeadersMiddleware = (req, res, next) => {
// Cross-Origin-Opener-Policy - Isole le contexte de navigation
res.setHeader('Cross-Origin-Opener-Policy', 'same-origin');
// Cross-Origin-Resource-Policy - Contrôle le partage de ressources
res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
// CORS Headers pour CDN - Permet l'accès cross-origin aux ressources publiques
const isPublicResource = req.path.startsWith('/public/') ||
req.path.startsWith('/cdn-files/') ||
req.path.startsWith('/attachments') ||
req.path.match(/\.(png|jpg|jpeg|gif|svg|webp|ico|css|js|woff|woff2|ttf|eot)$/i);
if (isPublicResource) {
// Autoriser toutes les origines pour les ressources publiques du CDN
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', 'GET, HEAD, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Accept, Range');
res.setHeader('Access-Control-Expose-Headers', 'Content-Length, Content-Range, Content-Type');
res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
// Cache control pour les ressources statiques
res.setHeader('Cache-Control', 'public, max-age=31536000, immutable');
} else {
// Routes sensibles : garder la sécurité stricte
res.setHeader('Cross-Origin-Resource-Policy', 'same-origin');
}
next();
};