DEV: Simplify CORS logic for public asset routes #33106
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously we would check the request for a matching CDN hostname before applying the `Access-Control-Allow-Origin` header. That logic requires the CDN to include its public-facing hostname in the `Host` header, which is not always the case. Since we are only running this `apply_cdn_headers` before_action on publicly-accessible asset routes, we can simplify things so that the `Access-Control-Allow-Origin: *` header is always included. At the moment, this is primarily relevant to the HighlightJsController routes, which are loaded using native JS `type=module`. But in the near future, we plan to expand our use of `type=module` to more critical JS assets like translations and themes.
That's only needed for preflight, which isn't needed for 'simple requests' like GET and HEAD
CvX
approved these changes
Jun 7, 2025
martin-brennan
pushed a commit
that referenced
this pull request
Jun 10, 2025
Previously we would check the request for a matching CDN hostname before applying the `Access-Control-Allow-Origin` header. That logic requires the CDN to include its public-facing hostname in the `Host` header, which is not always the case. Since we are only running this `apply_cdn_headers` before_action on publicly-accessible asset routes, we can simplify things so that the `Access-Control-Allow-Origin: *` header is always included. That will make CDN config requirements much more relaxed. At the moment, this is primarily relevant to the HighlightJsController routes, which are loaded using native JS `type=module`. But in the near future, we plan to expand our use of `type=module` to more critical JS assets like translations and themes. Also drops the `Access-Control-Allow-Methods` header from these responses. That isn't needed for `GET` and `HEAD` requests.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously we would check the request for a matching CDN hostname before applying the
Access-Control-Allow-Originheader. That logic requires the CDN to include its public-facing hostname in theHostheader, which is not always the case.Since we are only running this
apply_cdn_headersbefore_action on publicly-accessible asset routes, we can simplify things so that theAccess-Control-Allow-Origin: *header is always included. That will make CDN config requirements much more relaxed.At the moment, this is primarily relevant to the HighlightJsController routes, which are loaded using native JS
type=module. But in the near future, we plan to expand our use oftype=moduleto more critical JS assets like translations and themes.Also drops the
Access-Control-Allow-Methodsheader from these responses. That isn't needed forGETandHEADrequests.