Access-Control-Allow-Originが'*'に設定されている時要求Originを鸚鵡返し

Resolve #5

README.md

@@ -61,6 +61,10 @@ export default {
     maxSize: 262144000,
 
     // CORS
+    // WARN:
+    //    'Access-Control-Allow-Origin'を'*'に設定した場合、要求のOriginヘッダーを応答します。
+    //    （Misskeyのアバタークロップに必要なため）
+    //    Varyヘッダーが付加されるため、同じURLでもOriginごとに画像が生成されてしまうはずです。
     ['Access-Control-Allow-Origin']: '*',
     ['Access-Control-Allow-Headers']: '*',
 

built/index.js

@@ -41,11 +41,20 @@ export function setMediaProxyConfig(setting) {
 }
 export default function (fastify, options, done) {
     setMediaProxyConfig(options);
+    const corsOrigin = options['Access-Control-Allow-Origin'] ?? '*';
+    const corsHeader = options['Access-Control-Allow-Headers'] ?? '*';
+    const csp = options['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`;
     fastify.addHook('onRequest', (request, reply, done) => {
-        reply.header('Access-Control-Allow-Origin', options['Access-Control-Allow-Origin'] ?? '*');
+        if (corsOrigin === '*') {
-        reply.header('Access-Control-Allow-Headers', options['Access-Control-Allow-Headers'] ?? '*');
+            reply.header('Access-Control-Allow-Origin', request.headers.origin ?? '*');
+            reply.header('Vary', 'Origin');
+        }
+        else {
+            reply.header('Access-Control-Allow-Origin', corsOrigin);
+        }
+        reply.header('Access-Control-Allow-Headers', corsHeader);
         reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
-        reply.header('Content-Security-Policy', options['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
+        reply.header('Content-Security-Policy', csp);
         done();
     });
     fastify.register(fastifyStatic, {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "misskey-media-proxy",
-  "version": "0.0.11",
+  "version": "0.0.12",
   "description": "The Media Proxy for Misskey",
   "main": "built/index.js",
   "packageManager": "pnpm@7.26.0",

src/index.ts

@@ -68,11 +68,20 @@ export function setMediaProxyConfig(setting?: MediaProxyOptions | null) {
 export default function (fastify: FastifyInstance, options: MediaProxyOptions | null | undefined, done: (err?: Error) => void) {
     setMediaProxyConfig(options);
 
+    const corsOrigin = options!['Access-Control-Allow-Origin'] ?? '*';
+    const corsHeader = options!['Access-Control-Allow-Headers'] ?? '*';
+    const csp = options!['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`;
+
     fastify.addHook('onRequest', (request, reply, done) => {
-        reply.header('Access-Control-Allow-Origin', options!['Access-Control-Allow-Origin'] ?? '*');
+        if (corsOrigin === '*') {
-        reply.header('Access-Control-Allow-Headers', options!['Access-Control-Allow-Headers'] ?? '*');
+            reply.header('Access-Control-Allow-Origin', request.headers.origin ?? '*');
+            reply.header('Vary', 'Origin');
+        } else {
+            reply.header('Access-Control-Allow-Origin', corsOrigin);
+        }
+        reply.header('Access-Control-Allow-Headers', corsHeader);
         reply.header('Access-Control-Allow-Methods', 'GET, OPTIONS');
-        reply.header('Content-Security-Policy', options!['Content-Security-Policy'] ?? `default-src 'none'; img-src 'self'; media-src 'self'; style-src 'unsafe-inline'`);
+        reply.header('Content-Security-Policy', csp);
         done();
     });