Add CORS and CSP setting

Resolve #5

README.md

@@ -60,6 +60,13 @@ export default {
     // ダウンロードするファイルの最大サイズ (bytes)
     maxSize: 262144000,
 
+    // CORS
+    ['Access-Control-Allow-Origin']: '*',
+    ['Access-Control-Allow-Headers']: '*',
+
+    // CSP
+    ['Content-Security-Policy']: `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`,
+
     // フォワードプロキシ
     // proxy: 'http://127.0.0.1:3128'
 }

built/index.d.ts

@@ -4,6 +4,9 @@ import * as http from 'node:http';
 import * as https from 'node:https';
 import type { FastifyInstance } from 'fastify';
 export type MediaProxyOptions = {
+    ['Access-Control-Allow-Origin']?: string;
+    ['Access-Control-Allow-Headers']?: string;
+    ['Content-Security-Policy']?: string;
     userAgent?: string;
     allowedPrivateNetworks?: string[];
     maxSize?: number;

built/index.js

@@ -42,7 +42,10 @@ export function setMediaProxyConfig(setting) {
 export default function (fastify, options, done) {
     setMediaProxyConfig(options);
     fastify.addHook('onRequest', (request, reply, done) => {
-        reply.header('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
+        reply.header('Access-Control-Allow-Origin', options['Access-Control-Allow-Origin'] ?? '*');
+        reply.header('Access-Control-Allow-Headers', options['Access-Control-Allow-Headers'] ?? '*');
+        reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
+        reply.header('Content-Security-Policy', options['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
         done();
     });
     fastify.register(fastifyStatic, {

src/index.ts

@@ -20,6 +20,9 @@ const _dirname = dirname(_filename);
 const assets = `${_dirname}/../../server/file/assets/`;
 
 export type MediaProxyOptions = {
+    ['Access-Control-Allow-Origin']?: string;
+    ['Access-Control-Allow-Headers']?: string;
+    ['Content-Security-Policy']?: string;
     userAgent?: string;
     allowedPrivateNetworks?: string[];
     maxSize?: number;
@@ -66,7 +69,10 @@ export default function (fastify: FastifyInstance, options: MediaProxyOptions |
     setMediaProxyConfig(options);
 
     fastify.addHook('onRequest', (request, reply, done) => {
-        reply.header('Content-Security-Policy', `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
+        reply.header('Access-Control-Allow-Origin', options!['Access-Control-Allow-Origin'] ?? '*');
+        reply.header('Access-Control-Allow-Headers', options!['Access-Control-Allow-Headers'] ?? '*');
+        reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
+        reply.header('Content-Security-Policy', options!['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
         done();
     });