mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-18 07:01:57 +08:00
27227c9ece
Previously we would check the request for a matching CDN hostname before applying the `Access-Control-Allow-Origin` header. That logic requires the CDN to include its public-facing hostname in the `Host` header, which is not always the case. Since we are only running this `apply_cdn_headers` before_action on publicly-accessible asset routes, we can simplify things so that the `Access-Control-Allow-Origin: *` header is always included. That will make CDN config requirements much more relaxed. At the moment, this is primarily relevant to the HighlightJsController routes, which are loaded using native JS `type=module`. But in the near future, we plan to expand our use of `type=module` to more critical JS assets like translations and themes. Also drops the `Access-Control-Allow-Methods` header from these responses. That isn't needed for `GET` and `HEAD` requests. |
||
|---|---|---|
| .. | ||
| anonymous_cache.rb | ||
| csp_script_nonce_injector.rb | ||
| default_headers.rb | ||
| discourse_public_exceptions.rb | ||
| enforce_hostname.rb | ||
| missing_avatars.rb | ||
| omniauth_bypass_middleware.rb | ||
| processing_request.rb | ||
| request_tracker.rb | ||
