misskey-dev/media-proxy
1
0
Fork 0
mirror of https://github.com/misskey-dev/media-proxy.git synced 2025-04-29 02:47:26 +09:00
Code Issues Packages Projects Releases Wiki Activity

Access-Control-Allow-Originが'*'に設定されている時要求Originを鸚鵡返し

Browse Source 
Resolve #5
This commit is contained in:
tamaina 2023-02-20 15:34:51 +00:00
parent 5728bdd7aa
commit 495f655973
4 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
README.md
View File

@ -61,6 +61,10 @@ export default {
maxSize: 262144000,
// CORS
// WARN:
// 'Access-Control-Allow-Origin'を'*'に設定した場合、要求のOriginヘッダーを応答します。
// Misskeyのアバタークロップに必要なため
// Varyヘッダーが付加されるため、同じURLでもOriginごとに画像が生成されてしまうはずです。
['Access-Control-Allow-Origin']: '*',
['Access-Control-Allow-Headers']: '*',

15
built/index.js
View File

@ -41,11 +41,20 @@ export function setMediaProxyConfig(setting) {
}
export default function (fastify, options, done) {
setMediaProxyConfig(options);
const corsOrigin = options['Access-Control-Allow-Origin'] ?? '*';
const corsHeader = options['Access-Control-Allow-Headers'] ?? '*';
const csp = options['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`;
fastify.addHook('onRequest', (request, reply, done) => {
reply.header('Access-Control-Allow-Origin', options['Access-Control-Allow-Origin'] ?? '*');
reply.header('Access-Control-Allow-Headers', options['Access-Control-Allow-Headers'] ?? '*');
if (corsOrigin === '*') {
reply.header('Access-Control-Allow-Origin', request.headers.origin ?? '*');
reply.header('Vary', 'Origin');
}
else {
reply.header('Access-Control-Allow-Origin', corsOrigin);
}
reply.header('Access-Control-Allow-Headers', corsHeader);
reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
reply.header('Content-Security-Policy', options['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
reply.header('Content-Security-Policy', csp);
done();
});
fastify.register(fastifyStatic, {

2
package.json
View File

@ -1,6 +1,6 @@
{
"name": "misskey-media-proxy",
"version": "0.0.11",
"version": "0.0.12",
"description": "The Media Proxy for Misskey",
"main": "built/index.js",
"packageManager": "pnpm@7.26.0",

15
src/index.ts
View File

@ -68,11 +68,20 @@ export function setMediaProxyConfig(setting?: MediaProxyOptions | null) {
export default function (fastify: FastifyInstance, options: MediaProxyOptions | null | undefined, done: (err?: Error) => void) {
setMediaProxyConfig(options);
const corsOrigin = options!['Access-Control-Allow-Origin'] ?? '*';
const corsHeader = options!['Access-Control-Allow-Headers'] ?? '*';
const csp = options!['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`;
fastify.addHook('onRequest', (request, reply, done) => {
reply.header('Access-Control-Allow-Origin', options!['Access-Control-Allow-Origin'] ?? '*');
reply.header('Access-Control-Allow-Headers', options!['Access-Control-Allow-Headers'] ?? '*');
if (corsOrigin === '*') {
reply.header('Access-Control-Allow-Origin', request.headers.origin ?? '*');
reply.header('Vary', 'Origin');
} else {
reply.header('Access-Control-Allow-Origin', corsOrigin);
}
reply.header('Access-Control-Allow-Headers', corsHeader);
reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
reply.header('Content-Security-Policy', options!['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
reply.header('Content-Security-Policy', csp);
done();
});