feature: set crossOriginResourcePolicy to sameOrigin in most cases (#116

)
lvce-editor · Dec 23, 2024 · e522cee · e522cee
1 parent d5b4c05
commit e522cee
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 7 deletions.
diff --git a/src/parts/CrossOriginResourcePolicy/CrossOriginResourcePolicy.ts b/src/parts/CrossOriginResourcePolicy/CrossOriginResourcePolicy.ts
@@ -1 +1,2 @@
-export const value = 'cross-origin'
+export const SameOrigin = 'same-origin'
+export const CrossOrigin = 'cross-origin'
diff --git a/src/parts/DefaultHeaders/DefaultHeaders.ts b/src/parts/DefaultHeaders/DefaultHeaders.ts
@@ -1,4 +1,6 @@
+import * as HttpHeader from '../HttpHeader/HttpHeader.ts'
+
 export const defaultHeaders = {
-  'Cross-Origin-Resource-Policy': 'cross-origin',
-  'Cross-Origin-Embedder-Policy': 'require-corp',
+  [HttpHeader.CrossOriginResourcePolicy]: 'cross-origin',
+  [HttpHeader.CrossOriginEmbedderPolicy]: 'require-corp',
 }
diff --git a/src/parts/GetHeaders/GetHeaders.ts b/src/parts/GetHeaders/GetHeaders.ts
@@ -16,7 +16,7 @@ export const getHeaders = (absolutePath: string, etag?: string): any => {
   // TODO support strong csp with webworkers
   // TODO support csp for iframes inside iframes?
   if (absolutePath.endsWith('.html')) {
-    headers[HttpHeader.CrossOriginResourcePolicy] = CrossOriginResourcePolicy.value
+    headers[HttpHeader.CrossOriginResourcePolicy] = CrossOriginResourcePolicy.SameOrigin
     headers[HttpHeader.CrossOriginEmbedderPolicy] = CrossOriginEmbedderPolicy.value
   } else {
     headers[HttpHeader.CrossOriginResourcePolicy] = 'same-origin'

diff --git a/src/parts/GetIndexResponse/GetIndexResponse.ts b/src/parts/GetIndexResponse/GetIndexResponse.ts
@@ -17,7 +17,7 @@ export const getIndexResponse = async (info: Info): Promise<any> => {
         [HttpHeader.ContentSecurityPolicy]: info.contentSecurityPolicy,
         [HttpHeader.CrossOriginEmbedderPolicy]: CrossOriginEmbedderPolicy.value,
         [HttpHeader.CrossOriginOpenerPolicy]: CrossOriginOpenerPolicy.value,
-        [HttpHeader.CrossOriginResourcePolicy]: CrossOriginResourcePolicy.value,
+        [HttpHeader.CrossOriginResourcePolicy]: CrossOriginResourcePolicy.SameOrigin, // TODO find out why in browser it works differently than in electron
       },
     },
   }

diff --git a/src/parts/HandleIndexHtml/HandleIndexHtml.ts b/src/parts/HandleIndexHtml/HandleIndexHtml.ts
@@ -16,7 +16,7 @@ export const handleIndexHtml = async (
     const csp = GetContentSecurityPolicyDocument.getContentSecurityPolicyDocument(contentSecurityPolicy)
     const contentType = GetContentType.getContentType(filePath)
     const headers = {
-      [HttpHeader.CrossOriginResourcePolicy]: CrossOriginResourcePolicy.value,
+      [HttpHeader.CrossOriginResourcePolicy]: CrossOriginResourcePolicy.CrossOrigin,
       [HttpHeader.CrossOriginEmbedderPolicy]: CrossOriginEmbedderPolicy.value,
       [HttpHeader.ContentSecurityPolicy]: csp,
       [HttpHeader.ContentType]: contentType,

diff --git a/test/GetIndexResponse.test.ts b/test/GetIndexResponse.test.ts
@@ -20,7 +20,7 @@ test('getIndexResponse', async () => {
       headers: {
         'Content-Security-Policy': "default-src 'self'",
         'Content-Type': 'text/html',
-        'Cross-Origin-Resource-Policy': 'cross-origin',
+        'Cross-Origin-Resource-Policy': 'same-origin',
         'Cross-Origin-Embedder-Policy': 'require-corp',
         'Cross-Origin-Opener-Policy': 'same-origin',
       },