diff --git a/README.md b/README.md index 70ce61b..dabebd5 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,10 @@ export default { maxSize: 262144000, // CORS + // WARN: + // 'Access-Control-Allow-Origin'を'*'に設定した場合、要求のOriginヘッダーを応答します。 + // (Misskeyのアバタークロップに必要なため) + // Varyヘッダーが付加されるため、同じURLでもOriginごとに画像が生成されてしまうはずです。 ['Access-Control-Allow-Origin']: '*', ['Access-Control-Allow-Headers']: '*', diff --git a/built/index.js b/built/index.js index f500463..980d875 100644 --- a/built/index.js +++ b/built/index.js @@ -41,11 +41,20 @@ export function setMediaProxyConfig(setting) { } export default function (fastify, options, done) { setMediaProxyConfig(options); + const corsOrigin = options['Access-Control-Allow-Origin'] ?? '*'; + const corsHeader = options['Access-Control-Allow-Headers'] ?? '*'; + const csp = options['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`; fastify.addHook('onRequest', (request, reply, done) => { - reply.header('Access-Control-Allow-Origin', options['Access-Control-Allow-Origin'] ?? '*'); - reply.header('Access-Control-Allow-Headers', options['Access-Control-Allow-Headers'] ?? '*'); + if (corsOrigin === '*') { + reply.header('Access-Control-Allow-Origin', request.headers.origin ?? '*'); + reply.header('Vary', 'Origin'); + } + else { + reply.header('Access-Control-Allow-Origin', corsOrigin); + } + reply.header('Access-Control-Allow-Headers', corsHeader); reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS'); - reply.header('Content-Security-Policy', options['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`); + reply.header('Content-Security-Policy', csp); done(); }); fastify.register(fastifyStatic, { diff --git a/package.json b/package.json index 2151932..79eab8d 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "misskey-media-proxy", - "version": "0.0.11", + "version": "0.0.12", "description": "The Media Proxy for Misskey", "main": "built/index.js", "packageManager": "pnpm@7.26.0", diff --git a/src/index.ts b/src/index.ts index dd5863b..ac91ab9 100644 --- a/src/index.ts +++ b/src/index.ts @@ -68,11 +68,20 @@ export function setMediaProxyConfig(setting?: MediaProxyOptions | null) { export default function (fastify: FastifyInstance, options: MediaProxyOptions | null | undefined, done: (err?: Error) => void) { setMediaProxyConfig(options); + const corsOrigin = options!['Access-Control-Allow-Origin'] ?? '*'; + const corsHeader = options!['Access-Control-Allow-Headers'] ?? '*'; + const csp = options!['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`; + fastify.addHook('onRequest', (request, reply, done) => { - reply.header('Access-Control-Allow-Origin', options!['Access-Control-Allow-Origin'] ?? '*'); - reply.header('Access-Control-Allow-Headers', options!['Access-Control-Allow-Headers'] ?? '*'); + if (corsOrigin === '*') { + reply.header('Access-Control-Allow-Origin', request.headers.origin ?? '*'); + reply.header('Vary', 'Origin'); + } else { + reply.header('Access-Control-Allow-Origin', corsOrigin); + } + reply.header('Access-Control-Allow-Headers', corsHeader); reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS'); - reply.header('Content-Security-Policy', options!['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`); + reply.header('Content-Security-Policy', csp); done(); });