Add CORS and CSP setting

Resolve #5
2025-04-29 02:47:26 +09:00 · 2023-02-20 14:45:15 +00:00 · 2023-02-20 14:45:15 +00:00 · 2679ec2b28
commit 2679ec2b28
parent ea5af77e6e
4 changed files with 21 additions and 2 deletions
--- a/README.md
+++ b/README.md
@ -60,6 +60,13 @@ export default {
    // ダウンロードするファイルの最大サイズ (bytes)
    maxSize: 262144000,

+    // CORS
+    ['Access-Control-Allow-Origin']: '*',
+    ['Access-Control-Allow-Headers']: '*',
+
+    // CSP
+    ['Content-Security-Policy']: `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`,
+
    // フォワードプロキシ
    // proxy: 'http://127.0.0.1:3128'
 }
--- a/built/index.d.ts
+++ b/built/index.d.ts
@ -4,6 +4,9 @@ import * as http from 'node:http';
 import * as https from 'node:https';
 import type { FastifyInstance } from 'fastify';
 export type MediaProxyOptions = {
+    ['Access-Control-Allow-Origin']?: string;
+    ['Access-Control-Allow-Headers']?: string;
+    ['Content-Security-Policy']?: string;
    userAgent?: string;
    allowedPrivateNetworks?: string[];
    maxSize?: number;
--- a/built/index.js
+++ b/built/index.js
@ -42,7 +42,10 @@ export function setMediaProxyConfig(setting) {
 export default function (fastify, options, done) {
    setMediaProxyConfig(options);
    fastify.addHook('onRequest', (request, reply, done) => {
-        reply.header('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
+        reply.header('Access-Control-Allow-Origin', options['Access-Control-Allow-Origin'] ?? '*');
+        reply.header('Access-Control-Allow-Headers', options['Access-Control-Allow-Headers'] ?? '*');
+        reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
+        reply.header('Content-Security-Policy', options['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
        done();
    });
    fastify.register(fastifyStatic, {
--- a/src/index.ts
+++ b/src/index.ts
@ -20,6 +20,9 @@ const _dirname = dirname(_filename);
 const assets = `${_dirname}/../../server/file/assets/`;

 export type MediaProxyOptions = {
+    ['Access-Control-Allow-Origin']?: string;
+    ['Access-Control-Allow-Headers']?: string;
+    ['Content-Security-Policy']?: string;
    userAgent?: string;
    allowedPrivateNetworks?: string[];
    maxSize?: number;
@ -66,7 +69,10 @@ export default function (fastify: FastifyInstance, options: MediaProxyOptions |
    setMediaProxyConfig(options);

    fastify.addHook('onRequest', (request, reply, done) => {
-        reply.header('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
+        reply.header('Access-Control-Allow-Origin', options!['Access-Control-Allow-Origin'] ?? '*');
+        reply.header('Access-Control-Allow-Headers', options!['Access-Control-Allow-Headers'] ?? '*');
+        reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
+        reply.header('Content-Security-Policy', options!['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
        done();
    });