Modify getObject CORP header to use cross-origin policy

There are use cases where COMS is being used as a way to directly reference and embed content into a 3rd-party webpage. The default helmet CORP policy of same-origin was too restrictive for this specific endpoint. Signed-off-by: Jeremy Ho <jujaga@gmail.com>
bcgov · Jan 15, 2024 · dc254b9 · dc254b9
1 parent 668398e
commit dc254b9
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/app/src/routes/v1/object.js b/app/src/routes/v1/object.js
@@ -1,4 +1,5 @@
 const router = require('express').Router();
+const helmet = require('helmet');
 
 const { Permissions } = require('../../components/constants');
 const { objectController, syncController } = require('../../controllers');
@@ -37,7 +38,8 @@ router.head('/:objectId', objectValidator.headObject, currentObject, hasPermissi
 );
 
 /** Returns the object */
-router.get('/:objectId', objectValidator.readObject, currentObject, hasPermission(Permissions.READ),
+router.get('/:objectId', helmet({ crossOriginResourcePolicy: { policy: 'cross-origin' } }),
+  objectValidator.readObject, currentObject, hasPermission(Permissions.READ),
   (req, res, next) => {
   // TODO: Add validation to reject unexpected query parameters
     objectController.readObject(req, res, next);