feat: apply access-control-allow-origin globally

instead of only on some arbitrary routes configurable via config, please check sample, disabled by default i still recommend configuring from your own http server (nginx, etc.), if you want to have a more complex per-routes headers
2025-01-31 07:11:33 +00:00 · 2022-05-02 13:58:04 +07:00 · 2022-05-02 13:58:04 +07:00 · 595dd81455
commit 595dd81455
parent c89de676db
2 changed files with 39 additions and 12 deletions
--- a/config.sample.js
+++ b/config.sample.js
@ -138,14 +138,18 @@ module.exports = {
  /*
    Helmet security headers.
    https://github.com/helmetjs/helmet/tree/v5.0.2#how-it-works
+
+    These headers will be applied to ALL resources, including API endpoints,
+    and files if you serve them with node.
+    If you need to disable some of the headers at certain routes, it's recommended
+    to instead use own http server (nginx, etc.) in front of lolisafe and configure from there.
+
+    NOTE: You may set "helmet" option as an empty object {} to disable Helmet entirely.
+    Setting it as any falsy value will instead apply some default configurations.
  */
  helmet: {
    contentSecurityPolicy: false,
-    /*
-      Cross-Origin-* headers were enabled by default since Helmet v5.0.0
-      However, for installations that use own http server for files (nginx, etc.),
-      these headers also need to be configured in there.
-    */
+    // Cross-Origin-* headers were enabled by default since Helmet v5.0.0
    crossOriginEmbedderPolicy: false,
    crossOriginOpenerPolicy: false,
    crossOriginResourcePolicy: false,
@ -161,6 +165,21 @@ module.exports = {
    originAgentCluster: false
  },

+  /*
+    Access-Control-Allow-Origin
+    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
+    These headers will be applied to ALL resources, including API endpoints,
+    and files if you serve them with node.
+
+    If set to true, it will be set as wildcard (*).
+    If set to any falsy value, it will be not set altogether.
+    Otherwise if any string value, it will be set as-is.
+
+    Whether to use this in conjunction with Cross-Origin-* headers depends on your needs.
+    FAQ: https://resourcepolicy.fyi/#acao
+  */
+  accessControlAllowOrigin: false,
+
  /*
    Trust proxy.
    Enable this if you are using proxy such as Cloudflare or Incapsula,
--- a/lolisafe.js
+++ b/lolisafe.js
@ -77,6 +77,20 @@ if (config.helmet instanceof Object) {
  safe.use(helmet(defaults))
 }

+// Access-Control-Allow-Origin
+if (config.accessControlAllowOrigin) {
+  if (config.accessControlAllowOrigin === true) {
+    config.accessControlAllowOrigin = '*'
+  }
+  safe.use((req, res, next) => {
+    res.set('Access-Control-Allow-Origin', config.accessControlAllowOrigin)
+    if (config.accessControlAllowOrigin !== '*') {
+      res.vary('Origin')
+    }
+    next()
+  })
+}
+
 if (config.trustProxy) {
  safe.set('trust proxy', 1)
 }
@ -105,9 +119,7 @@ safe.use(bodyParser.urlencoded({ extended: true }))
 safe.use(bodyParser.json())

 const cdnPages = [...config.pages]
-let setHeaders = res => {
-  res.set('Access-Control-Allow-Origin', '*')
-}
+let setHeaders

 const contentTypes = config.overrideContentTypes && Object.keys(config.overrideContentTypes)
 const overrideContentTypes = (res, path) => {
@ -187,7 +199,6 @@ if (config.cacheControl) {
  if (config.serveFilesWithNode) {
    initServeStaticUploads({
      setHeaders: (res, path) => {
-        res.set('Access-Control-Allow-Origin', '*')
        // Override Content-Type if necessary
        if (contentTypes && contentTypes.length) {
          overrideContentTypes(res, path)
@ -205,13 +216,11 @@ if (config.cacheControl) {
  // This requires the assets to use version in their query string,
  // as they will be cached by clients for a very long time.
  setHeaders = res => {
-    res.set('Access-Control-Allow-Origin', '*')
    res.set('Cache-Control', cacheControls.static)
  }

  // Consider album ZIPs static as well, since they use version in their query string
  safe.use(['/api/album/zip'], (req, res, next) => {
-    res.set('Access-Control-Allow-Origin', '*')
    const versionString = parseInt(req.query.v)
    if (versionString > 0) {
      res.set('Cache-Control', cacheControls.static)
@ -223,7 +232,6 @@ if (config.cacheControl) {
 } else if (config.serveFilesWithNode) {
  initServeStaticUploads({
    setHeaders: (res, path) => {
-      res.set('Access-Control-Allow-Origin', '*')
      // Override Content-Type if necessary
      if (contentTypes && contentTypes.length) {
        overrideContentTypes(res, path)