Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-08-20 18:52:44 +08:00
Code Packages Activity Actions 13

FIX: Ensure app-cdn CORS is not overridden by cors_origin setting (#24661)

Browse source 
We add `Access-Control-Allow-Origin: *` to all asset requests which are requested via a configured CDN. This is particularly important now that we're using browser-native `import()` to load the highlightjs bundle. Unfortunately, user-configurable 'cors_origins' site setting was overriding the wldcard value on CDN assets and causing CORS errors.

This commit updates the logic to give the `*` value precedence, and adds a spec for the situation. It also invalidates the cache of hljs assets (because CDNs will have cached the bad Access-Control-Allow-Origin header).

The rack-cors middleware is also slightly tweaked so that it is always inserted. This makes things easier to test and more consistent.
This commit is contained in:
David Taylor 2023-12-01 12:57:11 +00:00 committed by GitHub
parent b72a177fb3
commit ecf7a4f0c6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 43 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

5
lib/highlight_js.rb
View file

@ -2,6 +2,7 @@
module HighlightJs
HIGHLIGHTJS_DIR ||= "#{Rails.root}/app/assets/javascripts/node_modules/@highlightjs/cdn-assets/"
VERSION ||= 1 # bump to invalidate caches following core changes
def self.languages
langs = Dir.glob(HIGHLIGHTJS_DIR + "languages/*.js").map { |path| File.basename(path)[0..-8] }
@ -36,7 +37,9 @@ module HighlightJs
cache_info = {
lang_string: lang_string,
digest:
Digest::SHA1.hexdigest(bundle(lang_string.split("|")) + "|#{GlobalSetting.asset_url_salt}"),
Digest::SHA1.hexdigest(
bundle(lang_string.split("|")) + "|#{VERSION}|#{GlobalSetting.asset_url_salt}",
),
}
cache[RailsMultisite::ConnectionManagement.current_db] = cache_info