From 2679ec2b28310a03e1c33fee9d639679e89a7dd7 Mon Sep 17 00:00:00 2001 From: tamaina Date: Mon, 20 Feb 2023 14:45:15 +0000 Subject: [PATCH] Add CORS and CSP setting Resolve #5 --- README.md | 7 +++++++ built/index.d.ts | 3 +++ built/index.js | 5 ++++- src/index.ts | 8 +++++++- 4 files changed, 21 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 32b44f2..70ce61b 100644 --- a/README.md +++ b/README.md @@ -60,6 +60,13 @@ export default { // ダウンロードするファイルの最大サイズ (bytes) maxSize: 262144000, + // CORS + ['Access-Control-Allow-Origin']: '*', + ['Access-Control-Allow-Headers']: '*', + + // CSP + ['Content-Security-Policy']: `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`, + // フォワードプロキシ // proxy: 'http://127.0.0.1:3128' } diff --git a/built/index.d.ts b/built/index.d.ts index 9032e39..7d29401 100644 --- a/built/index.d.ts +++ b/built/index.d.ts @@ -4,6 +4,9 @@ import * as http from 'node:http'; import * as https from 'node:https'; import type { FastifyInstance } from 'fastify'; export type MediaProxyOptions = { + ['Access-Control-Allow-Origin']?: string; + ['Access-Control-Allow-Headers']?: string; + ['Content-Security-Policy']?: string; userAgent?: string; allowedPrivateNetworks?: string[]; maxSize?: number; diff --git a/built/index.js b/built/index.js index 84b8227..f500463 100644 --- a/built/index.js +++ b/built/index.js @@ -42,7 +42,10 @@ export function setMediaProxyConfig(setting) { export default function (fastify, options, done) { setMediaProxyConfig(options); fastify.addHook('onRequest', (request, reply, done) => { - reply.header('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`); + reply.header('Access-Control-Allow-Origin', options['Access-Control-Allow-Origin'] ?? '*'); + reply.header('Access-Control-Allow-Headers', options['Access-Control-Allow-Headers'] ?? '*'); + reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS'); + reply.header('Content-Security-Policy', options['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`); done(); }); fastify.register(fastifyStatic, { diff --git a/src/index.ts b/src/index.ts index 09ef82c..dd5863b 100644 --- a/src/index.ts +++ b/src/index.ts @@ -20,6 +20,9 @@ const _dirname = dirname(_filename); const assets = `${_dirname}/../../server/file/assets/`; export type MediaProxyOptions = { + ['Access-Control-Allow-Origin']?: string; + ['Access-Control-Allow-Headers']?: string; + ['Content-Security-Policy']?: string; userAgent?: string; allowedPrivateNetworks?: string[]; maxSize?: number; @@ -66,7 +69,10 @@ export default function (fastify: FastifyInstance, options: MediaProxyOptions | setMediaProxyConfig(options); fastify.addHook('onRequest', (request, reply, done) => { - reply.header('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`); + reply.header('Access-Control-Allow-Origin', options!['Access-Control-Allow-Origin'] ?? '*'); + reply.header('Access-Control-Allow-Headers', options!['Access-Control-Allow-Headers'] ?? '*'); + reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS'); + reply.header('Content-Security-Policy', options!['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`); done(); });